A Web Application Firewall (WAF) (A) is the best control to mitigate SQL injection attacks because it can detect and block malicious SQL queries before they reach the application. WAFs analyze incoming requests, filter SQL injection attempts, and provide an additional layer of security for web applications.

Other options:

SQL server hardening (B) improves security but does not specifically address SQL injection.

Patch management (C) is necessary but does not provide immediate protection against new SQL injection attacks.

Physical controls (D) are unrelated to application-layer threats like SQL injection.