I must say that I have never heard of a hex code attack; so, thank you for causing me to look into that.
My recommendation is layering. If you do an internet search on SQL Injection you will come up with all the same recommendations previously mentioned: use stored procs, tighten security with lowest level permissions, use sp_executesql with ad hoc query execution, and force developers to use parameterized queries.
But the supreme rule is: all input should be viewed as questionable whether it is coming from a source internal or external to your organization. You can build yourself some "cleansing" type functions to apply to string and binary type parameter inputs; but, know that they may need to be updated/tweaked from time to time as new threats come along and the line between legitimate and illegitimate input is blury some times.
The only way to be truly protected is to operate disconnected in a vacuum which is pointless; so, do the best that you can and be prepared for the worst--backup your databases and practice recovery from time to time.