Actually, I dont' think that is the webserver's job.
Relying on your webserver to protect you against SQL injection is probably not what you want to do. The webserver has no knowledge at all about what kind of program you run behind it. You would need to teach it everything about what you're doing.
Seriously, you are much better off just using prepared statements everywhere than trying to teach a webserver the finer points of your particular combination of SQL and the language you use. It's like parsing HTML with regular expressions. It might hold up for a while or for certain tasks, but will explode quite unexpectedly at some later point.
That's true, but sometimes (especially with completely naive or old PHP) 'using prepared statements everywhere' means 'rewriting everything.' In those cases, htaccess might be the only flexible option you have until you can.
Needs to add more to this, especially configs against SQL injections and other hacks.