The $_GET references are ok. They are always referenced with GetSQLValueString... that has SQL injection protection built in.
The issue with the sorting is due to the data type you are using. Since you are using varchar fields, the order is different than numeric ordering.
That column has a month set to "10"... well using a varchar sort, "10" comes before "2". I updated your SQL to convert the text value to an integer before sorting and that has fixed your issue.