Example shows
sql := sqlstring.Format("select * from users where name=? and age=? limit ?,?", "t'est", 10, 10, 10)
fmt.Printf("sql: %s\n", sql)
Outputting
sql: select * from users where name='t\'est' and age=10 limit 10,10
Which is correct. However, this protection can easily be defeated:
sql := sqlstring.Format("select * from users where name=? and age=? limit ?,?", `t\'est`, 10, 10, 10)
fmt.Printf("sql: %s\n", sql)
Outputting
sql: select * from users where name='t\\'est' and age=10 limit 10,10
The double backslash fails to escape the single quote resulting in SQL injection vulnerability.
https://go.dev/play/p/qVnax1F8P9M