One big security risk is letting someone from the outside send unchecked SQL into a DB. That's why applets almost never use JDBC, and even less so over a public network. I take it that only properly authenticated users can run the applet? Even if that's the case, use only stored procedures (that also perform parameter checking), and don't give the MySQL account used by the applet rights to issue raw SQL (like INSERT, UPDATE, DELETE).
That's just general advice. I'm not familiar enough with MySQL to speak about its security history.