The DBManager - http://support.sugarcrm.com/Documentation/Sugar_Developer/Sugar_Developer_Guide_7.7/Data_Framework/Database/DBManagerFac… - is indispensable for querying the database.
My favorite way of preventing SQL injection is binding variables, so the query and the variables get sent to the database. In PHP I'd use PDO with parameterized queries (using bindParam()). This thread recommends it for all sorts of reasons - appsec - SQL injection -- why isn't escape quotes safe anymore? - Information Security Stack Exchange .
I'm pretty sure PDO is being used in the background in the DBManager. Is there any way to use parameterized queries using the DBManager?