Once you do write some parsing code, you probably want to do some checking, and not just execute arbitrary SQL. I would think that UPDATE, DELETE, DROP, TRUNCATE etc should probably all be prohibited.

It may be that this is all on a closed network, and you trust the callers, but you can never be too careful...