Even trying to parse the incoming string for DELETE, DROP TABLE, etc. is doomed to fail.

A sneakier attack uses HEX, such as 0x77616974666f722064656c61792027303a303a323027

What does that unreadable string mean ?

[font="Courier New"]DECLARE @x varchar(99)

SET @x=0x77616974666f722064656c61792027303a303a323027

SELECT @x

==> waitfor delay '0:0:20'[/font]

Waiting for 20 seconds is a standard trick for hackers to check if an application can transmit commands to the database engine.

Always use parameters, not string concatenation.