I found this documentation which suggests there is a QueryParams option.
<query name="Entities" rowElementName="Entity">
<sql>
<![CDATA[
select Name,Description from {EntityName} with (NOLOCK) where {EntityName}ID=@EntityID
]]>
</sql>
<querystringreplace replaceTag="{EntityName}"
replacetype="runtime"
replaceparamname="EntityName"
defvalue=""
validationpattern="(category)|(section)|(affiliate)|(manufacturer)|(distributor)|(library)" />
<queryparam paramname="@EntityID"
paramtype="runtime"
requestparamname="EntityID"
sqlDataType="int"
defvalue="0"
validationpattern="" />
</query>
I believe this is sufficient to prevent sql injection (though it'd be nice to have someone that knows the product confirm). Why this isn't mentioned at all in the main SQL interface documentation I'll never understand.