How to protect against SQL Injection attacks?

The best way is not to concatenate SQL strings in the first place -- use parameterised queires instead.

You should also use regular expressions to make sure that only 'appropriate' data is entered into fields. For example, a ZIP code should only ever be numbers, so you can have a RegExp like \d{5} to enforce 5 digits (US postal code).

You should also look for things like quotes and hyphens which may be signs of someone trying to inject code, but remember that they are also valid characters sometimes.