Alejandro, what you've written there is very dangerous. Unless when you're making an actual database management tool, you shouldn't allow users to specify the query to execute in any way. Definitely not like this, but you should also be aware of SQL injection. Right now, a user can send in any query, as long as it produces a result set. That could even be a compound statement that performs a DELETE or even a DROP TABLE statement.
If you want this service to be as dynamic as now, let the user only send the table name. Validate that it's one you expect, then create your SQL query yourself ("SELECT * FROM " + table is now safe because you validated that table is white listed