Not nearly worse than SQL injection, no. You control all of the data in the file and therefore choose whether or not to return evaluated data, and it's unlikely that in arbitrary quote data there would be any combination of characters that do "damage" to a client. But good catch.
It is worth noting that without the n switch, mIRC will evaluate $identifiers and %variables in the file. This may be intended, (like adding $time or $nick to your quotes), but may not. Add the switch if you have monetary values or percentages in your quotes. If you accept user data to fill your quote file, you absolutely MUST use this switch, since that WOULD lead to an injection attack vector.
While we're on the topic, you still may also want guards for valid numeric ranges, and, possibly, guarding against $read() returning $null for empty lines and invalid line numbers. Of course this is all just an example.
