bradcathey:
If your program is the source of the column names, then there shouldn't be a concern. You typically have problems with SQL-injection issues when a third-party can put in bits of code that can mess up the database. For example, in your first case, your program is supplying the names, so you don't have to worry. But if it were more like:
my $sort_by = <>;
my $stmt = 'SELECT * FROM time_sheet WHERE user_id=? ORDER BY ' . $sor
+t_by;
Then you're opening the door for someone to hose your database.
...roboticus
When your only tool is a hammer, all problems look like your thumb.