No, blocking IP is not a solution because it keeps changing every time as well as the automatic requests the scripts send. One time it's DECLARE in the request, next time it might be something else, it's not consistent.
203.142.16.45 - - [05/Nov/2008:09:50:37 -0700] "GET /index.php?sort=-999+AND+1=1+UNION+ALL+SELECT+user(),database(),@@v ersion-- HTTP/1.0" 200 46841 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1"
203.142.16.45 - - [05/Nov/2008:09:50:37 -0700] "GET /index.php?sort=-1+AND+1=1+UNION+ALL+SELECT+user(),database(),@@ver sion-- HTTP/1.0" 200 46756 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
The survey.php is a part of the osc contribution that I added. I didn't make the code, so I use it as is, and it's working fine.
The Rewrite rules that you mentioned above, what do they mean? Will they match only if there will be either DECLARE or ExEC in requests?
Thanks.