I like the sprintf way Wildhoney taught me. There will always be different ways to hack into the source but sprintf, mysql_real_escape_string (or without _real), addslashes and such will prevent almost anything.