What if mysql.connect_timeout would be set to a low value, say 30 seconds? People could use it for moderately simple queries, and there are a lot of useful queries that can be executed that time, or for preparation of more complex queries (for example, prepare on simple a query for en).
Killing the connection does not stop the query. Besides, from a security perspective, letting people run unchecked queries is kinda... stupid. If you want to automatically check the query - then you've pretty much arrived at api.php. Letting toolserver users check & run is the safest and simplest way to realize a query service.
--valhallasw