Of course you are also including regular punctuation and spaces?
What about this, for example?
If properly crafted,
select username,password from user_table where user=3273 or 1=1
Since 1=1 is always true, this simple example would display all user names and passwords in the database.
Before completely cleansing you should look for patterns used to inject commands into your input fields, including but not limited to drop, insert, update, or, and . . .