Naming (if it's been done or if you can do it) the user accessible dbs in a characteristic format -- for example _user_specificname -- or the system dbs in a format which will NOT match any name assigned to a user file -- say, _sys_topsecret -- will at a minimum simplify the required regex, reduce the possibility of having a db with a name that's allowed when it's supposed to be system-use only, and -- some say -- offer modestly better security.

The conventional wisdom seems to be that regexen which allow only acceptable characters are more reliable than those which attempt to anticipate all the possible "bad" chars and prohibit them.

This "wisdom" has holes, and is probably not particularly helpful in the case where you have a limited universe of user-accessible db names, but may be worth knowing as you write regexen for other purposes.