Just like to share a project I am doing which would enable clients to send SQL statements over HTTP using JSON-RPC, with the SQL statement in the params member. For security, whitelist validation is done using a dictionary, and table/column field names conversion so not to expose real database table/column names.
Line 110 is where SQL can be prepared using PDO. Use '?' as placeholder and query_data inside params for values in array. Also, make sure to reflect 'result' => $mod_query in response object to reflect the right result variable.
I tried this and was able to make database queries using Postman.
Raymund