In order to prevent SQL injections and , reveal information about the database tables avoid passing MySQL functions as GQL sorting parameters, I refactored the FormatSQL() function.
Additionally, the old approach with using regex to filter the orderBy parameter was not effective and prevented using column.table annotations.