Very interesting that the htaccess File Editor POST Form works, but not the Custom Code POST Form. The first main difference that comes to mind is that the Custom Code Form saves code to your WordPress database and the htaccess File Editor writes code directly into your root htaccess file.
Do you have any other plugins installed on your website that do anything related to database filtering or security? It is going to be more likely that there is some kind of security rule at the server level that protects your database from SQL Injection attacks and the BPS Pro Query String Exploits code has code that matches SQL Injection attacks so that code is mistakenly seen as a threat. Contact your host ask them if they have any kind of security measure in place that would prevent the BPS Query String Exploits code from being saved to your database using a Form that POST's the data to your database. You can send them the BPS Query String Exploits section of code so that they can see what code is not being allowed to be saved to your database.