diff --git a/controllers/goods.js b/controllers/goods.js
index 4c61f99..3055871 100644
--- a/controllers/goods.js
+++ b/controllers/goods.js
@@ -60,9 +60,9 @@ async function getGoods(ctx) {
   }
 
   if (ctx.query.limit && !ctx.query.page) {
-    const limit = Math.min(10000, Math.max(1, parseInt(ctx.query.limit) || 20))
-    sql += ' LIMIT ?'
-    params.push(limit)
+    const limitStr = String(ctx.query.limit).trim()
+    const limit = Math.min(10000, Math.max(1, isNaN(parseInt(limitStr)) ? 20 : parseInt(limitStr)))
+    sql += ' LIMIT ' + limit
     const goods = await query(sql, params)
     ctx.body = { code: 200, data: processGoodsImages(goods) }
     return