Clients should not be directly connecting to a database. Massive security issue. It all should be done from the server.
Properly done you’ll want a RESTful API the server can send “requests” through and get back results (response). The request logic should be very discreet and specific. No way for custom requests to happen.