Who is the "user" anyway? If it's someone who already has the power to drop tables, delete/modify rows, etc, there's little he can do via your program he can't do otherwise.

Also, most databases have a fine grained access system. If your table creating program is running as a webservice, give the connection only permission to create tables - and nothing else.

But parsing of types shouldn't be that hard - specially if you don't allow to set all kinds of constraints. I would just check for allowable types, and reject anything that doesn't look like a valid type definition (instead of trying to detect anything that may be a problem).