I've implemented this ISAPI filter on my server, and I've been noticing in the IIS logs that URL encoded apostrophe ( %27 ) appears to be getting through, aswell as the keywords "UNION ALL SELECT" for MySQL. These appear in the IIS logs unfiltered.
Thankfully the code for the site prevented these injection attempts from succeeding, but I was disappointed to see that this filter did nothing to prevent it from getting that far. Ive tried these same strings in the ASPtestApp that came with the filter, and
it returned the string unfiltered.
Shouldn't this filter be checking for these things?