Agreed. It looks like an attempt at injection to me. You're going to want to find out if it was successful. Your company may also have a policy in place where you notify the corporate security officer or someone similar. I hope the attempt failed and you can report it as such.

Next, figure out what application it came from and put some server-side validation in place to lock it down to the point where the queries don't even make it to the database server. Client-side is fine, but there are ways around that.

I'm not trying to get preachy when I say this, but this is never pleasant. I expect growth and learning to occur today for you. I know it did for me on my first one.