In my dream (where unicorns also roam) DBTNG goes out of its way to prevent SQL injections due to silly mistakes, or a moment of carelessness.
orderby() doesn't escape fields / aliases and does not check $direction, allowing SQL injection when developers pass usersupplied data.
idem for group by, though that needs further study.