Avoiding SQL injections is dead simple: escape *every* variable you concatenate into a SQL query or just use prepared statements