The two-tier solution proposed by Mark6505 is the correct way to isolate your database access.
The QVD generator is a normal .qvw file that the user does not have access to. This document is reloaded by the service account on your server/publisher and creates QVDs of the data being extracted. The user cannot see the connection string(s) or tamper in any way with the load script as they have no access to the document.
Your document would now load the data from the qvd files, so replace the SQL SELECTs wih LOAD FROM ....qvd statements. The document can be reloaded on the server, or even by the user, providing the respective accounts have access to the location where the qvds are stored.
Logic will get you from a to b. Imagination will take you everywhere. - A Einstein