Yep, mostly SOL.
The database can do some policing, but not all. While you are protecting your db from your users, ponder this "sql injection" nasty:
The user gets to input his name; let say you put it into $name. Then you execute this SELECT and return the results to him:
SELECT * FROM UserInfo WHERE name = '$name';
Now, let's suppose he fills in the form with
x' OR 'y' = 'y
Then you blissfully dump your entire table for him:
SELECT * FROM UserInfo WHERE name = 'x' OR 'y' = 'y';
Ok maybe that is not a good example, but do protect yourself by checking that numbers contain only digits and that strings are escaped (mysql_real_escape_string() or equivalent).