There are two kinds of injection attacks. One is SQL Injection, which is when the user enters SQL code which you the programmer concatenate and turn into one big SQL command. This is prevented by parameterizing what the user enters. This also requires NO cleaning up of the user's entries.
Instead of
m.lcCmd = "select * from table where field = " + thisform.userentry
do
m.lcUserEntry = thisform.userentry m.lcCmd = "select * from table where field = ?m.lcUserEntry"
The other injection is HTML / Javascript being entered into the fields. These you do have to try and filter out.