the function convertFromSQLHex() converts SQLHEX to plain text. This meaning that if I use this attack vector:

SELECT 0x6D7973716C

The function must detect it and decode the string. But not. Try yourself and you'll see that converted string doesn't is:

SELECT mysql

This is due to the function detects ' 0x6D7973716C' instead of '0x6D7973716C', an extra white space that disturbs the later conversion process. To fix the problem replace line:

foreach (str_split(trim($match), 2) as $hex_index) {

With:

if (strpos($match, ' ') !== false) $converted = ' ';
foreach (str_split(trim($match), 2) as $hex_index) {

Regards