The quick answers to:
1) Yes
2) No
First, determine what kind of queries the users are allowed to make, based on their roles and access rights.
Second, on server-side, compose the SQL script for each query bearing in mind
SQL Injection[
^]
Third, on the client-side, list out the type of queries that a logged in user is allowed to make, based on his role and access right, determine the UI controls to allow him to enter the necessary parameters for queries. For example, if the options are fixed, use radio buttons, check boxes, or drop down for selection, else text boxes. As far as possible, limit the use of free text by the user.
Lastly, the user will submit his choice of query and the required parameters to the server-side script which, among other things, cleanse and validate the parameters before injecting them into the correct SQL script for further processing.