PHP MySQL prevent SQL injection from GET while using SQL in variables

I have this PHP code

function testInput($data){
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

function setDefault($name,$hodnota){
    if(isset($_GET[$name])){
        $vysledek = testInput($_GET[$name]);
      }
      else {
        $vysledek = $hodnota;
    }
    return $vysledek;
}

function filterWhere($aktivni,$neaktivni){
    if($aktivni && $neaktivni){
        $aktivniSql = '';
    }
    elseif(!$aktivni && !$neaktivni){
        $aktivniSql = 'WHERE aktivni = 3';
    }
    elseif(!$aktivni && $neaktivni){
        $aktivniSql = 'WHERE aktivni = 0';
    }
    else{
        $aktivniSql = 'WHERE aktivni = 1';
    }
    return $aktivniSql;
}

$aktivni = setDefault('aktivni',1);
$neaktivni = setDefault('neaktivni',0);
$aktivniSql = filterWhere($aktivni,$neaktivni);

$sql = "SELECT * FROM uzivatel $aktivniSql ORDER BY $orderBy $orderBy2";
$result = mysqli_query($conn, $sql);
while($row = mysqli_fetch_assoc($result)){
...
}

As you can see in function testInput I'm preventing XSS. How do I prevent SQL injection from GET? Is it even necessary?

I am using function filterWhere to get part of SQL query to choose if active accounts will be shown. Variables $aktivni, $neaktivni are also used further in code to build sorting cells...

I tried to use prepared statement but I guess it only works for values after = in SQL query? I tried this and it didn't work:

$stmt = $mysqli->prepare("SELECT * FROM uzivatel $aktivniSql ORDER BY ? ?");
$stmt->bind_param("ss", $orderBy, $orderBy2);
$stmt->execute();
$result = $stmt->get_result();

or this:

$stmt = $mysqli->prepare("SELECT * FROM uzivatel ? ORDER BY ? ?");
$stmt->bind_param("sss", $aktivniSql, $orderBy, $orderBy2);
$stmt->execute();
$result = $stmt->get_result();