I'm afraid it doesn't.
In your example if "now()" is a a SQL fragment you would still have security issues?
I'd suggest that you see what options your database gives you to totally not trust the SQL. E.g. very low power user and only select against views
or you re-parse the SQL to check its contents (this seems like a poor man's version of using your databases to constrain the SQL).
Maybe add SQL as a tag? Might be a bit of religious war about allowing untrusted SQL to hit your database.
A further worry is to protect against DOS so the database may also be best placed to do resource limitation. e.g. client sends (in any format) a hideous Cartesian join.