Yea a select box and a submit button, or on an event on the select box would do it fine. You can pass it to the same page. If you don't want your field names exposed, you can put numbers as input and use if conditions.

$ORDER_BY = $_REQUEST['field_name'];

$sql = "SELECT * from registration_table ORDER by ". $ORDER_BY ." ASC";

Habtom

Just remember to validate well since you're putting user-submitted data directly into a query.

Better yet, use a switch statement with a default and you can hide field names and you don't have to worry about rogue data.

Hidden fields are vulnerable as well;
you need to verify that the data received is the data expected

To secure a switch
You may use for example:
$state=$_POST['state'];
$clean_state = array();
switch ($_POST['state'])
{
case 'ct':
case 'ma':
case 'ny':
$clean_state['state'] = ($_POST['state']);
break;
}
$state=$clean_state['state'];
if ($state!=$clean_state['state'])
{
echo" <h1>We are aware of the tentative intrusion in State options</h1><br>";
exit();
}

Or if you don't have a pagination, then you can even do that with free javascript code - sort on the client's side.

[kryogenix.org...]

Your switch idea is great. Why didn't I think of that? I'll have to implement that on my sites soon. I love simple solutions to complex problems.

Thanks,
French people have a quote (loosely translated) “Give back to Caesar what's belonging to Caesar"
Meaning I do not claim paternity for the solution!
I read about it somewhere and make it working for my specific needs
Reading about security is a double edge sword; you get scared and may learn a great deal too :)

Hidden fields are vulnerable as well;
you need to verify that the data received is the data expected

Hidden fields are irrelevant here. Use a switch to explicitly declare input (like the example with the $clean_state array above) and then default if none are met. In an inconsequential situation like this there’s no need and/or point to break from the system to tell someone you are aware of their mischief.