sqlsql?id// 使用参数执行 SQL 语句的正确格式.
rows, err := db.Query("SELECT * FROM user WHERE id = ?", id)
sqlsql$1?fmt// 安全风险!
rows, err := db.Query(fmt.Sprintf("SELECT * FROM user WHERE id = %s", id))
%sid%sSELECT * FROM user WHERE id = 1 OR 1=1;