fix(orchestrator):repair sql injection again

internal/tools/orchestrator/scheduler/instanceinfo/instance.go

@@ -105,15 +105,18 @@ func (r *InstanceReader) ByContainerID(id string) *InstanceReader {
 }
 func (r *InstanceReader) ByServiceType(tp string) *InstanceReader {
 	r.conditions = append(r.conditions, fmt.Sprintf("service_type = \"%s\"", tp))
+	r.values = append(r.values, tp)
 	return r
 }
 func (r *InstanceReader) ByPhase(phase string) *InstanceReader {
 	r.conditions = append(r.conditions, fmt.Sprintf("phase = \"%s\"", phase))
 	return r
 }
 func (r *InstanceReader) ByPhases(phases ...string) *InstanceReader {
+	phasesSlice := phases
 	phasesStr := strutil.Map(phases, func(s string) string { return "\"" + s + "\"" })
 	r.conditions = append(r.conditions, fmt.Sprintf("phase in (%s)", strutil.Join(phasesStr, ",")))
+	r.values = append(r.values, phasesSlice)
 	return r
 }
 func (r *InstanceReader) ByFinishedTime(beforeNday int) *InstanceReader {
@@ -164,7 +167,7 @@ func (r *InstanceReader) Limit(n int) *InstanceReader {
 }
 func (r *InstanceReader) Do() ([]InstanceInfo, error) {
 	instanceinfo := []InstanceInfo{}
-	expr := r.db.Where(strutil.Join(r.conditions, " AND ", true), r.values...).Order("started_at desc")
+	expr := r.db.Where("org_id = ? AND application_id = ? AND service_type = ? AND phase in (?)", r.values...).Order("started_at desc")
 	if r.limit != 0 {
 		expr = expr.Limit(r.limit)
 	}