It's not as hard as it seems. "Keep what you want and throw everything else away" is a good place to start. Unfortunately this means a little more front end work - say, for an email form, you expect an email address and ordinary text for all input. So you can remove any character that is not in that set, and only accept input from fields you expect. The email address field requires a bit more attention, assuring there is only one and it's a valid email pattern.

For run of the mill email injections, before cleansing you might look for known injection patterns. This allows you to stop the script immediately to avoid annoying emails that are "safe" but still come through. There's lots of ways to do it but this is a good place to start.

Thanks rocknbil and sorry for the late reply.

I have looked around and found some tools but they all seem to be very difficult to implement, I'd say that the best one can do is do as you say, keep one eye open at all times and try to be one step ahead, I'll keep looking for better ways to check for wholes anyways, I could find one that I like down the road...