Wait? You have this up live? If the server side user running the CGI has more than select permissions on the DB, any malicious web visitor could trash it. If that data has any importance to you (i.e., it's not a test) you should remove the CGI *immediately*. Please read up on the links for SQL injection attacks and placeholders already given by other monks.

(Update: calling it as an SSI is no protection. If it's callable from a web address by a user it doesn't matter if there is a level of indirection.)