Are there any flaws in allowing SQL queries as part of an API to retrieve data?

We are working on an API to allow clients to access bits of data from a series of tables. We have developed a JSON-based API that works well but could certainly be improved.

We are now at the stage where we want to update the API to make it easier to use. The idea was to allow raw SQL queries to be passed to the API for filtering and searching data. To counter the glaring insecurities, we would like …

  • Restrict the mysql user who will execute the queries to TO SELECT only
  • Restrict users with access to the tables they need
  • …?

Are there any other major problems with this method?