If you're ever writing a custom SQL query (for example, if QQuery doesn't fit your needs), and have to put in user input into the query definition, you are risking SQL injection. The way to make your query bulletproof is to use the SqlVariable method:

$objDatabase = QApplication::$Database[1];
$strQuery = "SELECT * from table where id=" . 
    $objDatabase->SqlVariable(QApplication::QueryString('myUrlParam')) . // this takes care of escaping
    " ORDER BY attribute";
$objDbResult = $objDatabase->Query($strQuery);
while ($mixRow = $objDbResult->FetchArray()) {
  ...
}