when to use $wpdb->prepare?

Hi all,
I’ve been reading about sql injection etc and I want to beef up the security on my site.

I’ve read that queries should have $wpdb->prepare with them…

So, for example,
$wpdb->get_var('SELECT blah FROM blah WHERE something = '.$var.');
becomes…
$wpdb->get_var($wpdb->prepare('SELECT blah FROM blah WHERE something = %d',$var));

My 2 questions are…

1) Is the above correct formatting for using the ->prepare statement?

2) When is $wpdb->prepare to be used? Is it on EVERY sql statement? Or just certain ones?

Many thanks for any light you can shed on this.

Cheers

John ??