Never trust the client.
Here’s how I would design the database interaction:
Client <—> Server <—> Database
Assuming you’re using a SQL database, where do the queries get created and run? On the server. A client shouldn’t even know that a backend database exists. It just interacts with the server and sends requests to the server and the server sends back responses.
Client to server: What is the current high score leaderboard?
Server to client: Hang on, let me give you a list of names and scores!
Server to database: Run this SQL query and give me the results.
Server: Lets translate the database response into something the client can understand…
Server to client: Here’s a list of names and associated scores.
Client: Thanks! Let me sort these and display them to the user.
If you hide your database server behind a DMZ, it will be untouchable by the outside world. No SQL injection attacks from clients
As far as doing the server to database connection, I’m sure there are plenty of online resources for how to do that in C++. The general gist is that you create a connection string on the server, open up a database connection with that connection string, connect to a database, and start running queries. Since its a server, the connection will probably be pretty persistent so you can set a really high timeout value. Once the server is done (ie, rebooting or shutting down), you close the database connection.