1. Don't use the omnipotent user ROOT in your connection code. Give all users a PASSWORD ASAP!
2. Create a SPadmin user with full rights to SELECT, UPDATE, INSERT, DELETE and EXECUTE. Create all your procedures with this user.
3. Remove all rights from other users except to EXECUTE stored procedures.
Removing rights to SELECT, UPDATE, INSERT, DELETE will prevent most SQL injection attacks. Remember Dynamic Strings are your weak points.
4. In the stored procedure be aware of the default SQL SECURITY DEFINER statement in your CREATE PROCEDURE code. The user with no rights inherits the SPadmin rights only when running the stored procedures. Their access to data is only through your strict code - the STORED PROCEDURE.