tl;dr:"I know what you are thinking: Exposing an API that accepts SQL is crazy. It's a terrible idea. Especially if the API is exposed on the internet. Doing that is insecure and will lead to SQL injection attacks, it is a nightmare to maintain and it will lock the backend implementation into a specific technology (some ANSI SQL database). But is that really true? Time to re-evaluate!"