SQL Injection attack code being too intrusive

[GravyMonster]

Hey all,

A while back someone posted a regexp function which would check for the usual elements of a SQL query to make sure no injections were happening - all good. The only problem is I've got this on a site now and it's causing a few issues.

For example, the phrase 'Daddy or chips?' is being flagged as an injection attempt.

I've looked through the expression and can't see exactly where it's coming from, could any of you kindly souls help me out?

	szPattern = "SELECT((.|\s)*?)FROM((.|\s)*?)$|" & _
		"UPDATE((.|\s)*?)SET((.|\s)*?)$|" & _
		"INSERT[\s]+INTO((.|\s)*?)$|" & _
		"DELETE[\s]+FROM((.|\s)*?)$|" & _
		"(DROP|CREATE|ALTER|TRUNCATE)[\s]+TABLE[\s]+((.|\s)*?)$|" & _
		"UNION[\s]+(ALL|SELECT){1}[\s]+((.|\s)*?)$|" & _
		"DECLARE((.|\s)*?)[\s]+(NVARCHAR|VARCHAR|CHAR){1}((.|\s)*?)$|" & _
		"AND[\s]+((.|\s)*?)CONVERT((.|\s)*?)SP_PASSWORD$|" & _
		"[\r?\n|\r|\x00|\x1a]|[-]{2}"

Ta muchly!

 

[GravyMonster]

After some testing I've discovered it's catches whenever there is a ? in the string - can't see where in the pattern that's hits though

 

[GravyMonster]

Firstly the user input is being escaped. The reason this is being implemented is because the client wants to know if anyone is trying to subvert the system and if so, who, when and what they tried.

Secondly I'm using systems notation because it's what i learnt using and old habits die hard

So back on topic, anyone got any ideas? I was hoping someone would be able to spot it straight away without me having to actually do some work and dissect the regexp