when people figure out the user name and password of your database, which has to be stored somewhere in your application files, they can do almost everything to the tables available, it depends on what rights you give the user.
you can set these options in mySQL:
http://www.debiantutorials.org/images/user-privileges-phpmyadmin.pngbut adding 1000 gold coins instead of 1 can not be disabled this way.
there is no way to secure a direct connection to the database.
what you should do is to wrap all queries into php files and access them via a http-get plugin. in that php files, you could do the checks if the query is valid.
btw: I'm also working on an mmorpg
