Are you kidding ?
As the PHP manual said "if you use double quotes there will be a need to escape the variable names". In your example you use a function with double quotes, without escaping the variable $sort_by, so this is not a PHP vulnerability, but a development one. For this time, don't blame PHP, blame developers. It's like if I was using mysql_query() without escaping user's inputs...an sql injection, not a PHP vuln ;)
