Would you mind sharing an example query string that injects and passes validation? I'd be interested to see what technique enables it to be valid.

(It's obvious to me that the site is under high risk since user-provided strings show up in SQL validation errors, which includes the rest of a real query, but simple injections like using ' and " to break out did not work in my few minutes of trying, so I'm interested to learn what worked.)