sql 执行查询时出现语法错误(sql 注入)?

sql syntax error while executing query (sql injection)?

查询:

    model.client.query("SELECT ( 6371 * acos( cos( radians(:latitude) ) * cos( radians( latitude ) ) * cos( radians(longitude ) - radians(:longitude) ) + sin( radians(:latitude) ) * sin( radians( latitude) ) ) ) AS distance FROM offers where  isActive= :isActive ",{'latitude': latitude, 'longitude': longitude,'isActive':1},function (err,rows) {
        console.log(err);
});

错误

{ Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':latitude) ) * cos( radians( latitude ) ) * cos( radians(longitude ) - radians(:' at line 1
 model.client.query("SELECT ( 6371 * acos( cos( radians(?) ) * cos( radians( latitude ) ) * cos( radians(longitude ) - radians(?) ) + sin( radians(?) ) * sin( radians( latitude) ) ) ) AS distance FROM offers where  isActive= ? ",[latitude,longitude,latitude,isActive],function (err,rows) {
        console.log(err);
});