Simply put, add a layer of middleware or secure filtering app between the web front end and the database to identify and strip out bogus SQL code.
Worried it will have an impact on performance?
Run it on a high-performance security appliance that sits in the same spot, acting as a firewall and security gateway for your other apps; or stick it in front of the web server so it can filter bogus requests before they hit the server at all.
Bonus benefit: it will also reduce your risk of DDOS attacks by sloughing off most of the fake queries without having to pass them to the web server to think about first.
Check that you've already taken the most basic precautions,, though, like the one SQLSecurity.com uses as the tagline on its home-page introduction: "Have you blocked access to TCP 1433 and UDP 1434 from all un-trusted clients? No? Then get to it!"
Although it's not clear if that's the site slogan, its most-obvious advice, or a follow up to its real slogan: "There is not patch for stupidity."