SQL injection [is] a really tough hole to protect against

Not really. Revoke SELECT, INSERT, UPDATE, DELETE privileges from you application's user account and grant access to your data through stored procedures only (provided that the DBMS of your choice supports it). That's what I consider the most effective SQL injection prevention.

See also Avoiding SQL Injection (owasp.org).