diff --git a/core/core-backend/src/main/java/io/dataease/engine/trans/Quota2SQLObj.java b/core/core-backend/src/main/java/io/dataease/engine/trans/Quota2SQLObj.java
index 17d6c2634e..1996ffe391 100644
--- a/core/core-backend/src/main/java/io/dataease/engine/trans/Quota2SQLObj.java
+++ b/core/core-backend/src/main/java/io/dataease/engine/trans/Quota2SQLObj.java
@@ -155,11 +155,11 @@ public class Quota2SQLObj {
                 } else if (StringUtils.equalsIgnoreCase(f.getTerm(), "not_empty")) {
                     whereValue = "''";
                 } else if (StringUtils.containsIgnoreCase(f.getTerm(), "in")) {
-                    whereValue = "('" + StringUtils.join(f.getValue(), "','") + "')";
+                    whereValue = "('" + StringUtils.join(sanitizeSqlLiteral(f.getValue()), "','") + "')";
                 } else if (StringUtils.containsIgnoreCase(f.getTerm(), "like")) {
-                    whereValue = "'%" + f.getValue() + "%'";
+                    whereValue = "'%" + sanitizeSqlLiteral(f.getValue()) + "%'";
                 } else {
-                    whereValue = String.format(SQLConstants.WHERE_VALUE_VALUE, f.getValue());
+                    whereValue = String.format(SQLConstants.WHERE_VALUE_VALUE, sanitizeSqlLiteral(f.getValue()));
                 }
                 list.add(SQLObj.builder()
                         .whereField(fieldAlias)
@@ -173,4 +173,10 @@ public class Quota2SQLObj {
         return !CollectionUtils.isEmpty(list) ? "(" + String.join(" " + Utils.getLogic(y.getLogic()) + " ", strList) + ")" : null;
     }
 
+    private static String sanitizeSqlLiteral(String value) {
+        String normalized = StringUtils.defaultString(value);
+        Utils.validateSqlInjectionRisk(normalized);
+        return Utils.transValue(normalized);
+    }
+
 }