This is a little bit of a rant, but there's a real question at the end.
I recently installed a new perl script on a site (which will remain nameless) which failed mysteriously with an error 403. Eventually I found a clue in this error in the apache error logs
[error] mod_security: Access denied with code 403. Pattern match "select.+from" at REQUEST_URI [severity "EMERGENCY"]
Which I believe to be from an utterly simpleminded attempt to defend against SQL injection attacks, by rejecting any HTTP request which contains "select" followed by "from".
Obviously, the pattern could be made much more complex, but the whole approach looks bankrupt to me. The question is, is there any generic approach that could actually work, or is it necessarily something that has to be done closer to the actual database manipulation.