I've seen quite a few posts on this, many come to the same conclusion that using a (possibly length) switch statement is the best way to protect against your SQL query being injected with unwanted statements.
If your primary goal is to prevent SQL Injection, then you might consider simply using the List Function to strip the first word from a user specified parameter.
SELECT field1, field2
ORDER BY #ListFirst(url.sort, " ")#
I have not gone through all of the possibilities on this one, so if someone sees a way that the above statement might still allow SQL Injections, please comment.
Of course, a malicious user would be able to inject a one word statement into the order by clause, but I have difficulty seeing what harm that can cause.