diff --git a/controllers/goods.js b/controllers/goods.js
index faf6560..4c61f99 100644
--- a/controllers/goods.js
+++ b/controllers/goods.js
@@ -60,8 +60,9 @@ async function getGoods(ctx) {
   }
 
   if (ctx.query.limit && !ctx.query.page) {
+    const limit = Math.min(10000, Math.max(1, parseInt(ctx.query.limit) || 20))
     sql += ' LIMIT ?'
-    params.push(parseInt(ctx.query.limit))
+    params.push(limit)
     const goods = await query(sql, params)
     ctx.body = { code: 200, data: processGoodsImages(goods) }
     return