SQL Injection Attack .asp Code

One of our clients websites was getting hit with SQL injection attacks on a regular basis.  Our first measure was to put in code like this

Function QueryStringCheck()
 dim stringlist(10)
 strQuery = UCase(Request.ServerVariables(“Query_String”))
‘ strQuery = Replace(URLDecode(strQuery),” “,”")
 strQuery = URLDecode(strQuery)
 ‘response.write strQuery
 StringList(1) = “EXEC(”
 StringList(2) = “skip”
 StringList(3) = “INSERT ”
 StringList(4) = “UPDATE ”
 StringList(5) = “DELETE ”
 StringList(6) = “DECLARE @”
 StringList(7) = “DECLARE%”
 StringList(8) = “‘;”
 StringCount = 8
 instring = 0
 for i = 1 to StringCount
  if InStr(strQuery,StringList(i)) > 0 then
   instring = 1
  end if
 next
 if instring = 1 then
 ‘response.write (request.ServerVariables(“URL”))
  response.redirect(“500.asp?badscript=”&request.ServerVariables(“URL”) & strQuery)
 end if
end function

This code did a great job for awhile but it seemed like the client kept getting hits.  The client was not in a position to convert everything to parameterized queries.  So we just kept waiting for attacks fixing the problem and trying to decipher how the hacker was getting through our code.  One day while looking at the logs I noticed DEC%LARE in the query string.  This seemed very weird and was clearly not one of the keywords I was looking for.  With a quick search came to understand that the .asp engine will ignore the percent sign(%) if it is not followed by HEX characters.  That was our hole.  Since we added DEC%LARE to our check we have no longer experienced any successful SQL Injections.  I would love to hear comments and questions.