You can't use a parameter in a SQL statement in place of a column name. It has inherent SQL Injection protection that prevents column names from being passed in.
There is a class for adding sorts in the rsobj.php file that you could use, or you could add it into your SQL directly.