Agreed. However, if for some reason your app actually requires the ability to input actual queries (like a SQL tutorial, maybe), you should probably be relying much more on the database's built-in security model. If you give an untrusted user real access to a database that you don't want them altering/destroying, a fragile regex is not going to save you.

As an aside for similar efforts, no regex of that length should be a one-liner. At the very least, you should be using the /x switch and commenting what you want to do. Even better would be building the regex in several chunks, so that a syntax error might have a prayer of being found.