g1smd - 9:50 am on Feb 2, 2011 (gmt 0)
Since the question mark is a separator between the path part of the URL and the attached parameters, you will need to instead test THE_REQUEST and look for a question mark within.
In the code, the question mark will need to be escaped, thus \? and it might be worth also looking for the encoded %3F or whatever it is. You'll need to look up the actual ASCII code.
This is a topic that has been discussed several times before, and I remember that some of those threads contain a lot of example code.