…continued…

SQL injections should jump out of the original SQL statement.
methods: use of single quote (‘)
use of double dash (–)
(’) delimiter for a SQL query.
(–) comment character in Oracle/MS SQL.

/((')|C%27)|(--)|(#)|(%23)/ix(')|(%27) the single quite and URL-encoded equivalent.
(--) the double dash
(#)|(%23) the pound sign in it’s URL-encoded equivalent.

So detect hex equivalent of (') single quote itself or the presence of – at the beginning of a comment., so the rest that follows is ignored.

MS SQL Server should watch out for # or its hex equivalent.

Hex equivalent of – does not count because it is not a HTML meta character, so %2D fails

will be continued…

polonus