Use either PDO or Mysqli with the binding syntax. This alone will prevent most injection attacks.
$stmt = $db->prepare(
'UPDATE users ' .
'SET userEmail=:email, userSalt=:salt, userPass=:pass ' .
'WHERE userId=:userId LIMIT 1' );
$stmt->bindParam( ':email', $this->_email, \PDO::PARAM_STR );
$stmt->bindParam( ':salt', $this->_salt, \PDO::PARAM_STR );
$stmt->bindParam( ':pass', $this->_password, \PDO::PARAM_STR );
$stmt->bindParam( ':userId', $this->_id, \PDO::PARAM_INT );
In the above example, trying to escape the :email binding to insert a DROP TABLE won't work.
You still need to be careful with user-provided data. For instance, if the user provides a $docId for a get document query, make sure they're authorized for the document being requested. (And not just guessing a $docId belonging to some other user).