We've logged get requests where someone tried to add /**/or/**/ to the query string.
What does it mean, where can it do damage and what should I look out for in my code?
Edit
Specifically /**/or/**/1=@@version)-- - what would that be targeting?
It's almost certainly an attempt at a SQL Injection Attack or something very similar. It's easiest to think (and read) about this kind of vulnerability in terms of SQL, even if it's a slightly different attack vector in your case.
The idea is that if you've got SQL of this kind:
"SELECT User from USERS where UserName =" + user + " AND PASSWORD = " + password
then inserting values like the one you've seen directly into the SQL can cause the query to mean something entirely different (and typically laxer) than you expect. Normally SQL injection attacks contain single quotes though, to terminate text values within SQL. Are you sure the attacks you've seen don't have single quotes?
If you use parameterized SQL throughout your application (and no dynamic SQL within your database), and never try to use incoming user-specified values as "code" of any kind, you should be okay.
I suspect in your case it may not be SQL that the attacker expects to use to penetrate your security; it may well be Javascript. The idea is the same though: if you use any user input as "code" in some form, e.g. by building a string mixing that with predefined code, then execute that code, you're leaving yourself vulnerable to attack. Always treat code as code (under your control) and data as data.