Just route your queries/responses via PlayerController or PlayerState, with server RPC and owning client RPC.
It is very unsafe to receive the SQL query directly from client though. Instead of sending the query itself you probably rather want to send the appropriate values via the RPC, and build the query on server side with proper SQL escaping (which your plugin/api should provide).