diff --git a/sql/binlog.py b/sql/binlog.py
index 1e078e55d9..eb9b2bbc24 100644
--- a/sql/binlog.py
+++ b/sql/binlog.py
@@ -1,4 +1,5 @@
 # -*- coding: UTF-8 -*-
+import MySQLdb
 import logging
 import os
 import time
@@ -62,6 +63,9 @@ def del_binlog(request):
         result = {'status': 1, 'msg': '实例不存在', 'data': []}
         return HttpResponse(json.dumps(result), content_type='application/json')
 
+    # escape
+    binlog = MySQLdb.escape_string(binlog).decode('utf-8')
+
     if binlog:
         query_engine = get_engine(instance=instance)
         query_result = query_engine.query(sql=fr"purge master logs to '{binlog}';")
diff --git a/sql/data_dictionary.py b/sql/data_dictionary.py
index eed329beee..9c24f3d6bc 100644
--- a/sql/data_dictionary.py
+++ b/sql/data_dictionary.py
@@ -27,6 +27,9 @@ def table_list(request):
         try:
             instance = Instance.objects.get(instance_name=instance_name, db_type='mysql')
             query_engine = get_engine(instance=instance)
+            # escape
+            db_name = MySQLdb.escape_string(db_name).decode('utf-8')
+
             sql = f"""SELECT
                 TABLE_NAME,
                 TABLE_COMMENT
@@ -62,6 +65,9 @@ def table_info(request):
         try:
             instance = Instance.objects.get(instance_name=instance_name, db_type='mysql')
             query_engine = get_engine(instance=instance)
+            # escape
+            db_name = MySQLdb.escape_string(db_name).decode('utf-8')
+            tb_name = MySQLdb.escape_string(tb_name).decode('utf-8')
 
             sql = f"""SELECT
                 TABLE_NAME as table_name,
@@ -141,6 +147,9 @@ def export(request):
     """导出数据字典"""
     instance_name = request.GET.get('instance_name', '')
     db_name = request.GET.get('db_name', '')
+    # escape
+    db_name = MySQLdb.escape_string(db_name).decode('utf-8')
+
     try:
         instance = user_instances(request.user, db_type=['mysql']).get(instance_name=instance_name)
         query_engine = get_engine(instance=instance)
diff --git a/sql/db_diagnostic.py b/sql/db_diagnostic.py
index f56c83a1d2..578d881376 100644
--- a/sql/db_diagnostic.py
+++ b/sql/db_diagnostic.py
@@ -1,3 +1,5 @@
+import MySQLdb
+
 import simplejson as json
 from django.contrib.auth.decorators import permission_required
 
@@ -29,6 +31,9 @@ def process(request):
     if AliyunRdsConfig.objects.filter(instance=instance, is_enable=True).exists():
         result = aliyun_process_status(request)
     else:
+        # escape
+        command_type = MySQLdb.escape_string(command_type).decode('utf-8')
+
         if command_type == 'All':
             sql = base_sql + ";"
         elif command_type == 'Not Sleep':
diff --git a/sql/instance.py b/sql/instance.py
index 600246ec22..5f96a95566 100644
--- a/sql/instance.py
+++ b/sql/instance.py
@@ -1,4 +1,5 @@
 # -*- coding: UTF-8 -*-
+import MySQLdb
 import os
 import time
 
@@ -251,9 +252,9 @@ def instance_resource(request):
     """
     instance_id = request.GET.get('instance_id')
     instance_name = request.GET.get('instance_name')
-    db_name = request.GET.get('db_name')
-    schema_name = request.GET.get('schema_name')
-    tb_name = request.GET.get('tb_name')
+    db_name = request.GET.get('db_name', '')
+    schema_name = request.GET.get('schema_name', '')
+    tb_name = request.GET.get('tb_name', '')
 
     resource_type = request.GET.get('resource_type')
     if instance_id:
@@ -267,6 +268,11 @@ def instance_resource(request):
     result = {'status': 0, 'msg': 'ok', 'data': []}
 
     try:
+        # escape
+        db_name = MySQLdb.escape_string(db_name).decode('utf-8')
+        schema_name = MySQLdb.escape_string(schema_name).decode('utf-8')
+        tb_name = MySQLdb.escape_string(tb_name).decode('utf-8')
+
         query_engine = get_engine(instance=instance)
         if resource_type == 'database':
             resource = query_engine.get_all_databases()
diff --git a/sql/instance_account.py b/sql/instance_account.py
index 5e7eb40ccb..83c968e284 100644
--- a/sql/instance_account.py
+++ b/sql/instance_account.py
@@ -1,4 +1,5 @@
 # -*- coding: UTF-8 -*-
+import MySQLdb
 import simplejson as json
 from django.contrib.auth.decorators import permission_required
 from django.contrib.auth.password_validation import validate_password
@@ -93,6 +94,11 @@ def create(request):
     except ValidationError as msg:
         return JsonResponse({'status': 1, 'msg': f'{msg}', 'data': []})
 
+    # escape
+    user = MySQLdb.escape_string(user).decode('utf-8')
+    host = MySQLdb.escape_string(host).decode('utf-8')
+    password1 = MySQLdb.escape_string(password1).decode('utf-8')
+
     engine = get_engine(instance=instance)
     # 在一个事务内执行
     hosts = host.split("|")
@@ -155,6 +161,10 @@ def grant(request):
     priv_type = int(request.POST.get('priv_type'))
     privs = json.loads(request.POST.get('privs'))
     grant_sql = ''
+
+    # escape
+    user_host = MySQLdb.escape_string(user_host).decode('utf-8')
+
     # 全局权限
     if priv_type == 0:
         global_privs = privs['global_privs']
@@ -235,6 +245,10 @@ def reset_pwd(request):
     except Instance.DoesNotExist:
         return JsonResponse({'status': 1, 'msg': '你所在组未关联该实例', 'data': []})
 
+    # escape
+    user_host = MySQLdb.escape_string(user_host).decode('utf-8')
+    reset_pwd1 = MySQLdb.escape_string(reset_pwd1).decode('utf-8')
+
     # TODO 目前使用系统自带验证，后续实现验证器校验
     try:
         validate_password(reset_pwd1, user=None, password_validators=None)
@@ -270,6 +284,9 @@ def delete(request):
     except Instance.DoesNotExist:
         return JsonResponse({'status': 1, 'msg': '你所在组未关联该实例', 'data': []})
 
+    # escape
+    user_host = MySQLdb.escape_string(user_host).decode('utf-8')
+
     engine = get_engine(instance=instance)
     exec_result = engine.execute(db_name='information_schema', sql=f"DROP USER {user_host};")
     if exec_result.error:
diff --git a/sql/instance_database.py b/sql/instance_database.py
index 31a6caf619..3deb528197 100644
--- a/sql/instance_database.py
+++ b/sql/instance_database.py
@@ -5,6 +5,8 @@
 @file: instance_database.py
 @time: 2019/09/19
 """
+import MySQLdb
+
 import simplejson as json
 from django.contrib.auth.decorators import permission_required
 from django.http import JsonResponse, HttpResponse
@@ -102,6 +104,9 @@ def create(request):
     except Users.DoesNotExist:
         return JsonResponse({'status': 1, 'msg': '负责人不存在', 'data': []})
 
+    # escape
+    db_name = MySQLdb.escape_string(db_name).decode('utf-8')
+
     engine = get_engine(instance=instance)
     exec_result = engine.execute(db_name='information_schema', sql=f"create database {db_name};")
     if exec_result.error:
diff --git a/sql/sql_optimize.py b/sql/sql_optimize.py
index ab62194e52..dfda0b392e 100644
--- a/sql/sql_optimize.py
+++ b/sql/sql_optimize.py
@@ -5,6 +5,7 @@
 @file: sql_optimize.py
 @time: 2019/03/04
 """
+import MySQLdb
 import re
 
 import simplejson as json
@@ -148,12 +149,14 @@ def optimize_sqltuning(request):
     sqltext = sqlparse.split(sqltext)[0]
     if re.match(r"^select|^show|^explain", sqltext, re.I) is None:
         result = {'status': 1, 'msg': '只支持查询SQL！', 'data': []}
-        return HttpResponse(json.dumps(result),content_type='application/json')
+        return HttpResponse(json.dumps(result), content_type='application/json')
     try:
         user_instances(request.user).get(instance_name=instance_name)
     except Instance.DoesNotExist:
         result = {'status': 1, 'msg': '你所在组未关联该实例！', 'data': []}
         return HttpResponse(json.dumps(result), content_type='application/json')
+    # escape
+    db_name = MySQLdb.escape_string(db_name).decode('utf-8')
 
     sql_tunning = SqlTuning(instance_name=instance_name, db_name=db_name, sqltext=sqltext)
     result = {'status': 0, 'msg': 'ok', 'data': {}}