OK, we must care about SQL injections. But how?
"For Joel's proposed attack to succeed, everything has to go wrong. The server has to fail to validate input, then use it in an insecure way, then connect to the database as an administrator. Regrettably, many server-side web apps leave themselves wide open to these sorts of attacks. Eliminate all of these problems, not just the string concatenation."
Very nice HowTo written by Eric Lippert in response to Joel's post about SQL injections.
I have an objection though: Using a regex to validate alphanumerical input is a neon sign saying "This site is for Americans only!". Because your regex will hardly take accented letters into account. Let's not even speak of letters and digits in non-Latin scripts!
I'll post some code to do such validation correctly. Stay tune...