The other concern I see is that the PHP blindly accepts SQL text and applies it to your database. This is almost as bad as just allowing direct database connections.

What if somebody sends queries to delete everything?

You should really create a query protocol to send requests that your script can validate for legal actions and then create its own SQL to carry out acceptable actions.