Even trying to parse the incoming string for DELETE, DROP TABLE, etc. is doomed to fail.
A sneakier attack uses HEX, such as 0x77616974666f722064656c61792027303a303a323027
What does that unreadable string mean ?
[font="Courier New"]DECLARE @x varchar(99)
SET @x=0x77616974666f722064656c61792027303a303a323027
SELECT @x
==> waitfor delay '0:0:20'[/font]
Waiting for 20 seconds is a standard trick for hackers to check if an application can transmit commands to the database engine.
Always use parameters, not string concatenation.