Even if you are filtering your input, a good and easy to implement safety measure is to cast all numeric values in the SQL statement.