SQL injection is prevented by using database APIs properly, not sanitizing. Put all the malicious SQL you want in a query string, if it's passed as a bound parameter to a prepared query, it's only ever going to be a plain string.

You might sanitize for different reasons like business logic, but if it's your first line of defense against sql injection, you're already on the losing side.