问题 1：我有下面的 MySQL 查询，它工作正常，但我刚刚发现这不是一种安全的方法，因为它对 SQL 注入开放。如您所见，如果我想作为参数传递， where 子句是一个问题。_, err := dbmap.Select(&response.AppsData, "SELECT...", ?)任何建议都非常有用。where := ""for i := 0; i < (len(acl_user_apps)); i++ {    fmt.Println(acl_user_apps[i].AppId)    fmt.Println(acl_user_apps[i].Permissions)    if where == "" {        where = "WHERE Apps.id=" + strconv.Itoa(acl_user_apps[i].AppId)    } else {        where = where + " OR Apps.id=" + strconv.Itoa(acl_user_apps[i].AppId)    }}query := "SELECT Apps.*, GROUP_CONCAT(DISTINCT IFNULL(AppCategoryMatches.category_id,'-1') SEPARATOR ',') as temp,   GROUP_CONCAT(DISTINCT IFNULL(AppCategories.category_name,'-1') SEPARATOR ',') as tmp_name FROM Apps LEFT JOIN AppCategoryMatches ON AppCategoryMatches.app_id=Apps.id LEFT JOIN AppCategories ON (AppCategoryMatches.`category_id` = AppCategories.id) " + where + " GROUP BY Apps.id ORDER BY " + sort_by + " " + order_by + " LIMIT " + limit + " OFFSET " + offset)_, err := dbmap.Select(&response.AppsData,query)问题 2：也只是想知道是否有人在传递 ORDER 参数时遇到过问题......_, err := dbmap.Select(&response.AppsData,        "SELECT Apps.*, GROUP_CONCAT(DISTINCT IFNULL(AppCategoryMatches.category_id,'-1') SEPARATOR ',') as temp, GROUP_CONCAT(DISTINCT IFNULL(AppCategories.category_name,'-1') SEPARATOR ',') as tmp_name FROM Apps LEFT JOIN AppCategoryMatches ON AppCategoryMatches.app_id=Apps.id LEFT JOIN AppCategories ON (AppCategoryMatches.category_id = AppCategories.id) GROUP BY Apps.id ORDER BY ?", "title")这个订单是有史以来最简单的事情......为什么它不起作用？