Since my statements are like

"SELECT * FROM `box` WHERE `thing` = '{$variable}'

Could I clean that with simply

$variable = str_replace("'","\'",$variable);
"SELECT * FROM `box` WHERE `thing` = '{$variable}'

Would that work? My host doesn't support mysql escape and I'm not using mysqli.

Depending on what classes as a valid data type for your query, you can usually get away with:

function cleanVar($str){
    $str = strip_tags(addslashes($str));
    return $str;
}

Use parametrized queries (PDO is probably your best bet).

I highly doubt that your host doesn't support the mysql_real_escape_string function.

$variable = mysql_real_escape_string($variable);

$sql = "SELECT * FROM `box` WHERE `thing` = '{$variable}'";

If indeed you don't have MySQL installed, then you can use one of the following escape functions based on which RDBMS you're using:

pg_escape_string

sqlite_escape_string

db2_escape_string

ingres_escape_string

If it's postgres you can use pg_escape_string.

Hate to repeat myself, but, once again, try this one:
PHP Intrusion Detection System