diff --git a/kernel/treenode/blocktree.go b/kernel/treenode/blocktree.go
index 0f535a96b..5914e8bfb 100644
--- a/kernel/treenode/blocktree.go
+++ b/kernel/treenode/blocktree.go
@@ -343,10 +343,24 @@ func GetBlockTrees(ids []string) (ret map[string]*BlockTree) {
 		return
 	}
 
-	sqlStmt := "SELECT * FROM blocktrees WHERE id IN ('" + strings.Join(ids, "','") + "')"
-	rows, err := db.Query(sqlStmt)
+	stmtBuf := bytes.Buffer{}
+	stmtBuf.WriteString("SELECT * FROM blocktrees WHERE id IN (")
+	for i := range ids {
+		stmtBuf.WriteString("?")
+		if i == len(ids)-1 {
+			stmtBuf.WriteString(")")
+		} else {
+			stmtBuf.WriteString(",")
+		}
+	}
+	var args []any
+	for _, id := range ids {
+		args = append(args, id)
+	}
+	stmt := stmtBuf.String()
+	rows, err := db.Query(stmt, args...)
 	if err != nil {
-		logging.LogErrorf("sql query [%s] failed: %s", sqlStmt, err)
+		logging.LogErrorf("sql query [%s] failed: %s", stmt, err)
 		return
 	}
 	defer rows.Close()