That is the hardest thing to create I can think of!
To create a filter script that allows friendly injection but that blocks injection that is not needed for the purpose of the challenge.

hmm.. well creating a full engine might not be necessary, but that challenge itself sounds tasty
There might be enough to just enter a bunch of sql queries that the user could take advantage of, with some nice error giving the user a some information. I don't exactly know how you would like to design the challenge, but I've had a few thoughts about creating a challenge like this before, after I read some article about it, but I've had too much in school lately. Anyhow, the idea is nice and I hope to see a challenge like that later.

just putting some queries into a database is kinda lame because it ends in guessing the right one. but i think it is kind of impossible to write an engine.

By now, there are lots of paper talking about sql injection, and the ways to evade any IDS. I think it's so difficult to filter efficiently the sql queries. An introductory paper to some evading injection signatures is http://www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html .

thebs: If you need very tecnical info, I can put you in contact with a friend at the network department in my university; he's just developing an IDS and maybe he has good info about the topic.

see you,
Corso