diff --git a/datasette/app.py b/datasette/app.py
index 17a82109a5..576a82fd94 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -616,10 +616,10 @@ async def data(self, request, name, hash, table):
         # Allow for custom sort order
         sort = special_args.get('_sort')
         if sort:
-            order_by = sort
+            order_by = escape_sqlite(sort)
         sort_desc = special_args.get('_sort_desc')
         if sort_desc:
-            order_by = '{} desc'.format(sort_desc)
+            order_by = '{} desc'.format(escape_sqlite(sort_desc))
 
         count_sql = 'select count(*) from {table_name} {where}'.format(
             table_name=escape_sqlite(table),