Hmm, this poses an interesting problem. What if the person really wanted to "drop table"?
I would remedy the situation by having a configurable table prefix. Let's say you had a table in your database named "items"... you could then prefix it with "blah_" so that the user would have to know what your table names are beforehand in order for them to attack your website.
I would also check for things like "drop table" or "drop database" (on the other hand, if your MUD has a sci-fi theme, there could very well be items called "database" as I mentioned before) in an array of disallowable commands, nouns, verbs, etc.
Don't forget to escape your SQL string before you send it to the database... that's one of the worst mistakes you can make. In general, you just need to watch strings when they get pushed to the database.
About the ; : You have to make sure what type of MUD client (if applicable) the user is running. Not detecting version per se, but what if your MUD allows someone to piggy-back their commands on one line?
move north; drop sword; move east; fight imp
I suggest you tokenize your MUD command (I think for an application as a MUD you probably are already anyway) and set the ; as a delimeter.
Your MUD may allow this, or the MUD client may allow them to do it (usually before it sends its buffer to your MUD) by tokenizing the string and sends the tokens separately itself to your MUD.
strtok(3) is a good function to use, but strsep(3) obseleted it. Both may have issues with non-NULL terminated strings, I don't know. You may want to check out a C reference, or if you're feeling adventurous, write your own.
Some food for thought.