Rather than attempting to intercept and modify SQL calls originating from the
application, perhaps you can instead implement an abstraction layer without
changing the application's SQL.
For example, if you can modify the DSN or login connection string for the
application, then connsider the following. Let's assume the current database
is [A]. Create a new database [B] that contains views and functions (but not
tables) with the same name as what is in [A], then modify them to reference
the tables in [A]. Add whatever additional joins, filtering, etc. are needed
to implement your (what I'm assuming) row based security. Then, modify the
application DSN to use database [B] instead of [A].