sql injection – how to sanitize program generated sql clause

in standard Ajax, where and order by SQL clauses are provided by the program (not user), egvar url = “.select?dd=emp&where=”+escape(“emp_tp=’abc’ and hire_dt$where =...