ADHOC QUERY for client

I have previously worked in an environment that had a similar requirement.
We had an overnight job that created a separate read-only database that could be queried by users/other clients.

We also had a UI that could run pre-defined queries against either the live database OR the "copy database" depending upon need ... for example "What work is left outstanding today" versus "What work was completed yesterday"

Our approach was to insist that they sent us (the IT dept) their requirements and we built the reports for them ... they could either be run in real time (two types of outputs ... excel or csv) or it was run for them overnight.

We did actually develop a sort of "I want this query" system that was very VERY limited in it's behaviours (avoid SQL Injection for example).

We did determine that appropriate conversation with the "client" could end up with *controlled* queries against either the live database or the MI database (copy taken each night purely for the users to query without F*ing up performance on the live system). We had programs running that read text (xml) files to determine what query to run and where to store the results.

I have to say, it was a very successful system, it just needed to be actively managed.

Life being what it is, they also discovered a 3rd party tool that would allow them to build their own ad-hoc queries... they (the business users) thought it was great. We (IT) knew it was s**t. Cost the company lots (like millions) of money

TL;DR; .... control "ad-hoc" queries like the bubonic plague. Let users "think" they're doing ad-hoc, tie it down so tight they cannot fart.

Apologies for the ranting ... this is the one single reason why I went grey in my 30's

use reporting services for this