You can try to store all the SQL queries in the script running on the server.
Each SQL query would be identified by a code (a string).
From your app you would do a POST with the code string.
Then on the server side you would do a GET to check the code and execute the apropriate SQL query returning the apropriate Json. Any other thing sent to the server would be refused.
This is boring work specially if you have lots of different queries, but is safer than sending direct SQL queries. Also, if you do not need DELETES or other stuff, ensure that the mSQL user used by the service is only granted the privileges needed. So if you just need to READ from the DBASE you should revoke INSERT,UPDATE and DELETE privileges.
José