I was the same problem and I solved in this mode:
In client source:
1) prepare the complete SQL command in a string variabile
2) define a password, for example "123456"
3) calculate MD5 of "123456" & "my SQL command"
4) send the request to server with GET or POST in this mode:
http://myserveraddress.com/execute.php?sql=my complete SQL command&chk=my MD5 value
For each SQL command, MD5 value change
On server, in the execute.php program, I do the same control.
Take the sql command, concat with password, calculate MD5 and if it is not the same value I abort the command
If the user don't know password, he can't send any SQL command, and also, if he sniff the communication, he can't read the real password
Sergio