From my experience the most important factor for preventing any kind of code injection attack (either sql, php etc...) is the sanitization of the user's data. When you receive input data sanitize them with specific rules (this could be easily achieved with the php preg_match function). In that way you can reject an input if it is considered harmful. Also, when you receive a $_GET or $_POST variable, it is not treated as code, unless you explicitly use it in that way. For example let's consider the following senario:
<?php
if ( isset( $ _GET['view'] ) )
{
include( "viewsfolder/" . $ _GET['view'] . ".php" );
}
?>
In this senario your code could be injected with harmful code. Let's say that the attacker could find a way to upload a malicious file to your server to the "viewsfolder. Then he could easily call this file and make it execute in your php code by just passing as $_GET parameter (view) the name of the file.
Another example, more harmful, could be if you were using the php eval() function which executes a string as php code. For example, you could received the user's input, concatenate it with some other code you have stored in string format, and then call it through eval() function. This could end up to a code injection.
I don't think that you will have some kind of problem if you sanitize your inputs with regular expressions in order to prevent unwanted code like ']', '}' , \' characters. Also keep in mind that you have to escape your input in order to prevent sql injections - in case you use your data with some SQL DBMS (this can also be easily done with the mysqli_real_escape_string - if you use mysqli connector - or with PDO's quote function or by using PDO prepare statements ).