MySQL protection and stuff

OK, my mind has shut off, but I know that allowing people to send commands to a MySQL DB viz a PHP form is just bad karma, so I'm wondering what I need to protect agaist. From what I've seen the big issues are ";" and "_". I believe the semi-colon is required in every command, true or false? If true, does this mean that I only need ot change each semi-colon to another character to be secure, or would removing underscores also help to protect the DB?