Then you really should consider using stored procedures to encapsulate standard queries that users then pass parameters to to restrict the data returned.

You really don't want to have ad hoc queries in your web code. One of the things you really need to be concerned about is SQL Injection.