you'll be better off just writing decent code that isn't vulnerable to injection in the first place.
The same basic rules apply to ANY programming environment. Don't pass unvalidated user input to any function... moreso any function with potential access to sensitive data (ie: SQL queries).
The #1 way to prevent SQL injection is simply don't put ANY user supplied data into an database query, ever. As that is obviously not practical in real world applications, the next best solution is to only allow very specific and known input. If there's no need for a query to accept anything other than a-z, 0-9 and 128 characters in length, then limit the input to that explicitly with regular expressions. That alone will prevent the vast majority of injection attacks which use characters such as ', &, + or = to re-write a query string.
Unfortunately, there is no way to do this outside of rewriting vulnerable application source code. Sure, you can (and should) use mod_security to block certain input which should never be allowed under any condition, however mod_security doesn't "know" anything about applications and cannot be used to write specific enough rules to exclude every possible attack without breaking the applications it is intended to protect.