Let's all do server-side database queries by concatenating GET & POST responses onto SELECT strings and client-side JSON parsing by executing it as JS. What could possibly go wrong?
Never trust anything that's come to you over a comms channel any part of which is not under your control. That applies to clients receiving server data and vice versa. Sandbox everything.