What's the right way to prevent SQL injection in PHP scripts?

Use prepared statements and parameterized queries (PDO & Mysqli).

PDO : http://php.net/manual/en/book.pdo.php

MYsqli : http://php.net/manual/en/book.mysqli.php

You can see more informations about it here :

How to Prevent SQL Injection in PHP

in PDO and MySqli you can bind the parameters and then excute the query

another solution you can escape the parameters using "mysql_real_escape_string"

its all depends on what are you using to manipulate the sql statement

Stored Procedure

Better always use XSS Filtering 

the best and the simple way is use sql procedures and try to implement strict coding. dont b a loose coder. 

use mysql_escape_string function to avoid charectors for sql injection before the string with {} for example:"SELECT *FROM  `tablename`WHERE  fieldname = '{".mysql_escape_string($value)."}'"

Use Parameterized Query to prevent sql injection

Best way to prevent sql injection is looking for correct input.  Use regular expressions and develop strategy for invalid input. Please remember pitfals. alternative representations. http://myhostname.com or http://194.71.105.29.

Biggest mistake:

.Not checking at all,

.Looking for incorrect input. 

Beside The best things  that all Other developrs mention, the best thing u can do to avoid SQL injection, is FILTER ALL INPUTS , Nerver trust input from user.

One of the ways is using magic quotes at server level. Another one is using the function addslashes for each input, although it's not really nice.

use mysql_escape_string function to avoid charectors for sql injection before the string