diff --git a/jshERP-boot/src/main/java/com/jsh/erp/controller/MaterialController.java b/jshERP-boot/src/main/java/com/jsh/erp/controller/MaterialController.java
index 6010c23c..d2715bdf 100644
--- a/jshERP-boot/src/main/java/com/jsh/erp/controller/MaterialController.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/controller/MaterialController.java
@@ -559,7 +559,7 @@ public class MaterialController {
                 idList = materialService.getListByParentId(categoryId);
             }
             List<MaterialVo4Unit> dataList = materialService.getListWithStock(depotId, idList, StringUtil.toNull(materialParam),
-                    column, order, (currentPage-1)*pageSize, pageSize);
+                    StringUtil.safeSqlParse(column), StringUtil.safeSqlParse(order), (currentPage-1)*pageSize, pageSize);
             int total = materialService.getListWithStockCount(depotId, idList, StringUtil.toNull(materialParam));
             MaterialVo4Unit materialVo4Unit= materialService.getTotalStockAndPrice(depotId, idList, StringUtil.toNull(materialParam));
             map.put("total", total);
diff --git a/jshERP-boot/src/main/java/com/jsh/erp/utils/StringUtil.java b/jshERP-boot/src/main/java/com/jsh/erp/utils/StringUtil.java
index cbf96963..07574542 100644
--- a/jshERP-boot/src/main/java/com/jsh/erp/utils/StringUtil.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/utils/StringUtil.java
@@ -19,6 +19,13 @@ public class StringUtil {
 
     private static String DEFAULT_FORMAT = "yyyy-MM-dd HH:mm:ss";
 
+    public final static String regex = "'|#|%|;|--| and | and|and | or | or|or | not | not|not " +
+            "| use | use|use | insert | insert|insert | delete | delete|delete | update | update|update " +
+            "| select | select|select | count | count|count | group | group|group | union | union|union " +
+            "| create | create|create | drop | drop|drop | truncate | truncate|truncate | alter | alter|alter " +
+            "| grant | grant|grant | execute | execute|execute | exec | exec|exec | xp_cmdshell | xp_cmdshell|xp_cmdshell " +
+            "| call | call|call | declare | declare|declare | source | source|source | sql | sql|sql ";
+
     public static String filterNull(String str) {
         if (str == null) {
             return "";
@@ -266,6 +273,15 @@ public class StringUtil {
         }
     }
 
+    /**
+     * sql注入过滤，保障sql的安全执行
+     * @param originStr
+     * @return
+     */
+    public static String safeSqlParse(String originStr){
+        return originStr.replaceAll("(?i)" + regex, "");
+    }
+
     public static void main(String[] args) {
         int i = 10/3;
         System.out.println(i);