Yes, I see what you are doing now, and I have something similar.
However, there are 2 big differences in my approach.
a) I use (as in composition) PDO so the values are automatically prepared for safer inserting
b) the table column names are checked against a white list of permitted column names
I achieve b) by loading an ini file which serves two purposes, to create the checklist of table columns and to simple form generation and validation.
I have read that you can do b) (generate a white list of permitted column names) by grabbing the database table meta data first.
So I my class picks up something similar to;
So the sql generator chucks out messages when I pass it a form containing invalid values.
As in your case this is done in a private login area, and if it detects anything funny, I log the user out. It works very well Ajax.
Maybe that will give you some ideas.
... although I would be the first to admit that having to maintain an ini file makes the whole thing less flexible and more brittle.