SQL injection attacks
You might wonder why we bother with the
? placeholders, particularly since we are able to programmatically construct the SQL statement inside Go. The reason is to protect our code from what is called an
SQL injection attack. Inserting user-provided text directly into our SQL queries could allow our users to execute their own SQL code on our database.