The canonical way to prevent SQL injection is to use placeholders.

An alternative approach is to allow access to data through stored procedures only, and disallow dynamic sql altogether. Such an approach has a number of interesting benefits, including performance and security.