How to prevent malicious SQL injection attacks by resorting to benign SQL injection?

I am writing an ASP.NET MVC4 application that ultimately builds a SQL SELECT statement dynamically so that it can be saved and executed later. The structure of dynamic SQL is determined by the user configuration in a user-friendly form, with standard flags, drop-down lists, and free-form text fields. It would be simple enough to check the input and build the SQL string using parameterized queries, except that I need to allow advanced users to enter their own SQL, which must be entered directly in the SELECT and WHERE clauses. So,What methods can I use to clean up custom SQL expressions or protect against unwanted input from a smart user? I can easily analyze the string for suspicious keywords and blacklisting / inserting / update / delete / etc., But something tells me that I'm not going to protect me 100%.

I am happy to provide more detailed information about what I am doing here, but I am not sure that other details will be useful, as I feel that my problem, although probably not ordinary, is quite general.