If you take some paraemter directly from the url without checking it, it is possible that someone writes an url that has a parameter that terminates first the string, then the sql sentence, includes another sql query and comments out rest of the real sql. In this case the malicious user can execute any SQL that they wish. It does not matter what the original sql statement was.
See e.g.
en.wikipedia.org/wiki/SQL_injection
I just wanted to warn people not to use your hack because it is not safe, not to argue wether this is a problem or not.
mikko