For custom query in Joomla is not prevent the SQL injections issue. So that, we need to add some script to the query.
In Joomla we can using $db->quote($param) to prevent SQL injections in custom query.
The Example of the query:
$db = JFactory::getDbo();
$query = "INSERT INTO table (`username`, `password`) VALUES (".$db->quote($username).", $db->quote($password))";
$db->setQuery($query);
$db->query();
In the query you not need to add Single Quote Symbol. Because it will help you add in your query.