Never try and prevent SQL injection solely by JavaScript. What happens if I turn JavaScript off? Your validation fails instantly. What happens if I modify your JS and remove the keywords you are preventing me from injecting?
Always validate it against the server.