All calls to the API are going through the api.php where every $_POST gets escaped. I'm not an expert when it comes to SQL injection, but I think this should prevent it. See line 61 in php/api.php. It would be great to know if this actually helps or not.
Having read your code and quickly brushing up the little bits of PHP knowledge from years ago, I'd say it helps only a little. mysqli_real_escape_string alone doesn't protect you completely from sql injection attacks, it just makes it harder - see the second answer at http://stackoverflow.com/questions/5741187/sql-injection-tha... for an example. Also, the homegrown $albumID validation allows bad payload to reach mysqli_real_escape_string().
i haven't looked at the code, but you really should switch to prepared statements. they make your code cleaner and more secure (and maybe faster, but that's pretty negligible in this case). have a look at PDO.
