Any professional with some experience in that field (internet-services, internet-db-access)
would disencourage you from executing arbitrary SQL against an internet facing DB.

SSL can't defend against a hacker that is the end point... (although I'm glad you mentioned authentication, despite not using it in your demo)
Read-Only SQL can't defend against
Code:
SELECT * FROM 
[Order Details] a,[Order Details] b, [Order Details] c, [Order Details] d, 
[Order Details] e,[Order Details] h, [Order Details] k, [Order Details] p, 
[Order Details] f,[Order Details] i, [Order Details] l, [Order Details] o, 
[Order Details] g, [Order Details] j, [Order Details] m, [Order Details] n, 
[Order Details] some_pain,
[Order Details] a_little_more,
[Order Details] uncle;