Nobody in their right mind would even try to communicate directly from a mobile app (or any client side app) directly with a database. To do so, you would have to pass the DB username and password--along with *ALL* the SQL queries--from the mobile device to the DB server. And that means that anybody who managed to sniff the communications or read the coding of your app would now have full access to your database and could do all sorts of nasties to it. *CLEARLY* you want and need to have server side code that protects you from this kind of stuff. The server-side code knows what kind of requests it will accept from the app and will reject anything else. And it would then never just take a SQL command from the app and execute it, as is. It would always validate and "sanitize" the requests.
An optimist sees the glass as half full.
A pessimist sees the glass as half empty.
A realist drinks it no matter how much there is.