How to prevent SQL Injection in Wordpress?
From the WordPress Codex on protecting queries against SQL Injection attacks:
<?php $sql = $wpdb->prepare( 'query' , value_parameter[, value_parameter ... ] ); ?>
If you scroll down a bit farther, there are examples.
You should also read the database validation docs for a more thorough overview of SQL escaping in WordPress.