Back in the first dotcom era I worked at a place that had a "SQL page" in the website. Just a textarea where you could enter any query and run it. It was wide open, protected only by the fact that it wasn't linked anywhere (there was no way to get to it other than entering the URL directly into the browser). It was there for the reasons you list, a quick way to verify that the database connections were working and to run ad-hoc queries for support/troubleshooting.

It was thought to be safe enough, because "nobody could guess" the URL of that page.