When it comes to ensuring that no malicious data are actually stored in your database (e. g. a set of .csv files, or some other structured way to store data), a different type of question is usually more effective. Basically, you want to consider “how do I clean and/or control the data that my server receives before storing them to my database?”. Again, I don’t know much about how Pavlovia/PsychoPy does this. Ideally it would be possible to specify things like “data that are to be saved to this field (column in a .csv file) must be integers, and be in the range of 0-100”. If any of the checks fail, an error would be raised and the participant would e. g. be asked to contact you as the researcher, and you would also receive some kind of notification that things have gone awry.