Simply provide a combo-box with sort-choices as part of the form.
Within your code, define a hashref that contains, for each possible valid value within the combo, the known-good SQL for an ORDER BY clause. When you see that the POSTed data contains the sort-choice combo, try to look up that value within the hash. If you find it, use the corresponding known-good SQL text in your next query. (Otherwise, use some default, or generate a “Bug” error-message.)
Of course, it should go without saying that you must not use any user-provided text directly within your SQL string. This is why the hashref, which is defined in your Perl code, contains all of the legitimate possibilities for the sort-field, and the corresponding SQL text. (You can handle both “ascending” and “descending” sorts with an obvious variation of this technique. Also notice that you can easily “do what I mean,” even if the actual SORT BY clause includes multiple database-columns, a mixture of ASC and DESC, and so on.)