WordPress Codex on database escaping

Functions that update the database should expect their parameters to lack SQL slash escaping when passed. Escaping should be done as close to the time of the query as possible, preferably by using $wpdb->prepare

$wpdb->prepare is a method that handles escaping, quoting, and int-casting for SQL queries. It uses a subset of the sprintf style of formatting. Example :

$var = "dangerous'"; // raw data that may or may not need to be escaped
$id  = some_foo_number; // data we expect to be an integer, but we're not certain
$wpdb->query $wpdb->prepare "UPDATE $wpdb->posts SET post_title = %s WHERE ID = %d", $var, $id  ;

%s is used for string placeholders and %d is used for integer placeholders. Note that they are not ‘quoted’ $wpdb->prepare will take care of escaping and quoting for us.

See more here:
WordPress Coding Standards « WordPress Codex.