Anything submitted by users should be checked / stripped / made safe
any checkboxes should be made sure that they are 1 or 0
any ints casted as integers
eg $var = (int) $var
and checked that between your valid ranges eg can it be negative, can it be 99999999999
chars converted to html safe versions eg < to < with htmlentities();
IF on 1.1.x, you need to escape chars that could result in sql injection (like single, double quotes)
IF on 2.x, the new query functions will do the escaping.