Read this thread:
http://www.linuxquestions.org/questi...curity-521792/
Basically, you need to validate ALL input on your forms. The email field should contain ONLY data that matches the email format, and you should automatically kick out anything that looks like html or doesn't fit the email profile.
All other fields in your form should be checked for SQL syntax, or for HTML tags, or anything else that doesn't need to be there.
Your fields' string lengths should be limited to something adequate and sensible, but not long enough to permit injection.
You might want to run stripslashes to get rid of backslashes used to escape codes being entered.
It isn't that hard to secure against sql injection, but you need to validate every single field on your form.