SQL injections occur when query parameters are passed directly into the query string. Example:
var input = request.content.param; // "1;DROP TABLE ACTIONS;--";
"SELECT * FROM ACTIONS WHERE K_ACTION= " + input;
Separating the query string from the query parameters values make this kind of injections impossible, as the parameters will be escaped properly.
If the query has no parameters, there is no need to add a "fake" one because no "potentially malicious" parameters will be added in the query string, and therefore there is no risk of SQL injections.