-I'm doing a shopping list search by name. If the name matches then it shows all the available items from the database. Is it a bad practice to implement search using post request? I've checked it's perfectly working and not injectable.
-A bonus question, is there any way user can drop (delete) table if the search field is vulnerable to sql injection?
Thanks in advance.
It's not bad practice to code it that way. Another option would be to use asynchronous JavaScript using a REST call that returns data. But either way, you're going to hit the database with a web request.
If your code allows SQL injection, then an attacker can do anything to the database that is allowed for the user account that is used to create the connection - including possibly dropping tables.
One common way to prevent SQL injection is to build all SQL statements using parameterized queries, such as the ones implemented with JDBC or ODBC. Be careful when building SQL from scratch.