NO_BACKSLASH_ESCAPES MODE

The query string during SQL processing by the interpreter will already be considered by the SQL syntactic apparatus, it is no longer possible to distinguish what they really meant when they substituted the parameters.
Preprocessing such a string with regular expressions, although it can be useful for individual test cases, will not save you from sql injections.
The developer of an external application should be severely punished for making a request like this:
And his application should be excluded from production, as containing a vulnerability that allows attacks with sql injections, before a fix of such a plan is made in all cases (!!!) where the application contacts the DBMS, and not just in this query:

$sql = "insert into table_name(name) value(:param1)";  //текст запроса с метками для вставки параметров;
$prep_sql = $sqlconnect->prepare($sql); //подготовка SQL-запроса, фактически, синтаксический разбор и выявление меток, куда вставлять параметры, проверка ошибок;
$prep_sql->bindParam('param1', $str_param, STRING_TYPE); //связываем параметры с метками в запросе, проверяем тип входного параметра;
$prep_sql->execute(); //выполняем запрос