I have a function that takes inputs that will be used for keywords in the query. I want to use placeholders for these things in the query string, as otherwise there will be a sqli vulnerability.

Here's my function:

 function get_things ($args = array()) {
  global $wpdb;

  $sql = $wpdb->prepare(
    "SELECT * FROM " . $wpdb->prefix . "my_table ORDER BY %s %s",
     $args['order_by'],
     $args['order']
  );

  $results = $wpdb->get_results($sql);
}

The second placeholder will be a MySQL keyword (either ACS or DESC). The problem with the above function is that the keyword will be wrapped in quotes. How can I fix this, whilst not creating a sqli vulnerability?

Also, the first placeholder (which will be a column name) is also being wrapped in quotes, which I don't want and is causing issues.