> The result was an API endpoint that looked like: /api/query?q=SELECT * FROM table WHERE x

Ahhhhhhhgh. If I ever make that cybersecurity house of horrors, that's going in it