PHP
If you use MySQL for your database, you must use Mysqli with prepared statements to validate user input. This is required on both the SELECT and UPDATE-type commands. Many other database extensions support this, such as PostgreSQL and SQLite3.
In order to stop Javascript injection, you have a number of options. You could either use the strip_tags or the htmlspecialchars built-in function. Htmlspecialchars translates characters like <>& to their respective entities (ie. <) while strip_tags simply removes HTML tag blocks. Another method is to use Textile or Markdown. As a Fluther user, you probably already prefer Textile, but I would recommend Markdown for any programming-related community apps like Stack Overflow.
Python with Django
I like Django. By setting up “models” of SQL tables, you are automatically securing the chance of a SQL injection. Very nice! Also included in the Django framework is the striptags template tag, which functions identically to PHP’s strip_tags command. As with PHP, you may choose to use Textile instead. Lucky for you, this has been implemented in Python as the Textile Package.
Java
If you’re making Java web applications with SQL access, you probably already know a lot about the SQL injection problem. However, a framework like JDO may still be helpful. There are Textile implementations in Java as well.
ALL Languages
To secure your apps from SQL injection in general, avoid building SQL strings from scratch. An example of this is:
query = “SELECT FROM `table` WHERE id = ” + page_id;
Using this form will make terrorists happy, and you will be murdered in your sleep by DB access programmers. Even if you Regex the hell out of it. And don’t think declaring your variable as an int will help either. Instead, read the documentation of your programming language, and look for the words “prepared statements” and “database modeling.”
Summary
You don’t need a security professional for simple web applications like Fluther. (Not to say Fluther is simple. It’s just not a bank site.) You only need to know what you’re doing and be extremely careful and detailed when programming these topics.