If you replace the ? with $order_by make sure you do $order_by = $dbh->quote($order_by) first to ensure no special characters are included in the query.

Better still, you could check $order_by against a list of allowed values. For example:

my %allowed = ('part_no'=>undef, 'id'=>undef, 'col_name'=>undef);
die unless exists $allowed{$order_by};
[download]