MySQL escape string

How can I filter input from URL param example
localhost:8080/v1/data/:id

And I want to use filter like mysql_real_escape_string param for id in Golang, I can't use ? cause this filter is dynamic, this param can be use or no, like this example

if status != "99" {
	where = append(where, "vs.stats = '1'")
}

if cari != "" {
	where = append(where, "(lm.title_member like '%"+cari+"%' OR " +
	"lm.nama_member like '%"+cari+"%' )")
}

query := "select vs.*, lm.nama_member from volks_shift vs left join list_member lm on vs.id_m=lm.id_m where vs.id_s=?"

rows, err := s.DB.QueryContext(ctx, query, id_s)

and I want secure cari val, without use ?

There is no escape function in the database/sql package, see related issue #18478 (and it's also not nice to invoke a mysql-specific function when using a database abstraction layer).

But it is also not needed as you can still use ? in a dynamic query. Just build the query parameters dynamically together with the query, like so:

	query := "SELECT vs.*, lm.nama_member" +
		" FROM volks_shift vs LEFT JOIN list_member lm ON vs.id_m=lm.id_m" +
		" WHERE vs.id_s=?"
	params := []interface{}{id_s}

	if status != "99" {
		query += " AND vs.stats = '1'"
	}

	if cari != "" {
		query += " AND (lm.title_member LIKE ? OR lm.nama_member LIKE ?)"
		params = append(params, "%"+cari+"%", "%"+cari+"%")
	}

	rows, err := s.DB.QueryContext(ctx, query, params...)