(Too long for comments ...)
No, because cfqueryparam (or bind variables) are designed to prevent the very thing you are trying to do, which is execute a string as a sql command. Bind variables cannot be used on anything that must be interpreted as a command by the dbms, such as table or column names, operators, etcetera - only literals like numbers or simple strings.
Given that cfqueryparam can only be used inside a cfquery tag, the cfscript version makes it a bit easier to parameterize dynamic statements. However, as long as you must execute arbitrary strings, there is really no bullet proof way to protect the query against sql injection. If at all possible, I would recommend restructuring to eliminate the dynamic SQL. Given that it is a legacy app, I realize it is more challenging, but the end result is worth it.
FWIW, keep in mind that while sql injection protection is probably the most critical benefit of using cfqueryparam, there are other benefits as well. Most notably performance improvements for queries executed multiple times, with varying parameters. That is actually the primary purpose of bind variables. The injection protection that comes along with it just a nice side effect.
