A co-worker told me about a site he came across that executed SQL select clauses that were passed as parameters to an HTTP request. We now have an answer to the question posed above.
The webmonkey who did that was quite obviously as thick as a post. No head between his shoulders. A few chunks short of a transfer. A 206, who 408's on everything you put to him. Accept: text/html; q=0.1, text/sql; q=0.1.
And has hardly any security considerations.
(OK, I'll stop now.)