Just about every web developer encounters scenarios where they need to let the user sort the results by the column they choose and that leads to dangers of possible SQL injection, but also the loss of prepared statement caching and optimizations (at least under Java with JPA). I have tried using numeric parameters in the ORDER BY _expression_, but they have no effect (last tested under 9.3). What if we make it so that they can take numeric parameters?
I realize that might cut the query planner's optimizations short, when used, but it's would provide your users with additional security. After that the problem remains the direction of the ordering, since that one is keyword literals, but keeping just two string constants with the queries for ascending and descending is better than creating new strings every time depending on the column used or keeping 14 versions of the same query.
