A payment gateway that a client is using is reporting that data we're submitting to it is triggering an SQL injection warning, and as a result the connections are being rejected (the end user is in the payment stage on a shopping cart and it being told that their IP is being blocked, which isn't very nice).

The string they're apparently picking up on is: (Size:Medium (Size 12) )|27.4917 and specifically the ') )|27' part of it. The error being generated is: Possible SQL injection attack (detectSQLi)"] [data "s))o1,ARGS:xxxx"

Other strings have triggered this where the number is different, it seems to be ))|<number> that causes a problem. (xxxx is the field we're submitting the value in, edited so as not to identify the payment gateway in use)

Any suggestions as to what SQL attack this is trying to catch? I can't think of anything where ))|27 would represent an SQL injection attack.

At the moment the payment gateway is just telling us to remove that string (they haven't given us an option to escape/encode it) which makes no sense. I'd like to know if this is part of a set of standard rules they're using that makes sense to someone or a homegrown set that might not.

Mark