Well, if it broke when they entered that text, then it's probably not SQL injection proof.
The best way (IMO) is to use the MySQLi or PDO database extension along with bound input parameters. If that is not feasible for some reason and you have to use the old (and now-deprecated) MySQLi extension, then you should cast any numeric field values to the appropriate type ( (int) or (float) ) or apply mysql_real_escape_string() to any character/string values.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation