The best way is the ensure you are limiting you input based on expected value types. You can refer this
docs.joomla.org/J1.5:Retrieving_and_Filtering_GET_and_POST_requests_with_JRequest::getVar
or
http://api.joomla.org/cms-2.5/classes/JRequest.html
possible filters are
- INT
- INTEGER
- FLOAT
- DOUBLE
- BOOL
- BOOLEAN
- WORD
- ALNUM
- CMD
- BASE64
- STRING
- ARRAY
- PATH
- USERNAME
the you can escape the data using.
$db= JFactory::getDbo();
$db->getEscaped($data);
http://api.joomla.org/cms-2.5/classes/JDatabase.html#method_getEscaped