Using a prepared statement and variable bind Order By in Java with JDBC driver

Question

I\'m using

1. jdbcTemplate to make JDBC connections to a mySQL DB
2. prepared statements to protect myself as much as possible from SQL injection attacks

Answer 1

I would just concatenate the column name and the order to the SQL query, but only after

1. verifying that the column name and order are valid in this context.
2. sanitizing them to counter any attempt of SQL Injection attack.

I feel this is efficient compared to fetching the results to the application layer and sorting them here.