I agree that using field names as query parameters is not a good idea. I don't know why it worked before, because SELECT x FROM y ORDER BY 'z' is not valid SQL. Perhaps MySQL 4 was a bit relaxed on its syntax.

I can see only two possible strategies to solve the proble: (a) if you can change the values returned by getQuery() you can replace the placeholders "?" in the ORDER BY clauses with something else (perhaps "??") or (b) you have to write a parser that recognizes the ORDER BY clause and.

In both cases you must preprocess the query before passing it to prepare(), then execute() can replace the placeholders with real values