eCart and DataAssist include built in functions to help prevent against SQL injection attacks.
You could certainly use the code you have included as well. In the store cart summary server behavior, when you bind a Database column to a form value, it adds code similar to:
<?php echo ((isset($_POST["shipping_firstname"]))?$_POST["shipping_firstname"]:""); ?>
you can include the filterstring() function by editing that to:
<?php echo ((isset($_POST["shipping_firstname"]))?filterstring($_POST["shipping_firstname"]):""); ?>