You should use mysql_real_escape_string for escaping string input parameters in a query. Use type casting to sanitize numeric parameters and whitelisting to sanitize identifiers.
A better solution would be to use prepared statements, you can do this by using PDO or mysqli.