I remember once we tried something similar. I do not know how much this will be helpful to you.
We had oracle and there were 2 schemas in same service, ABC and XYZ.
ABC was the original schema and XYZ had the select access on ABC.
A separate
Connection object was created for XYZ schema only for the requests coming from that particular
JSP having the textarea for select query.
So it automatically accepted only select queries. DB would throw exception for any DDL/DML.
But soon we realized exposing the database like this is not at all a good choice.
It was a Core banking DB of a bank and small mistakes in query can result FTS and can kill the performance in peak hours.