diff --git a/backend/framework/src/main/java/org/jumpserver/chen/framework/datasource/sql/SQL.java b/backend/framework/src/main/java/org/jumpserver/chen/framework/datasource/sql/SQL.java
index a21e242..ef64c84 100644
--- a/backend/framework/src/main/java/org/jumpserver/chen/framework/datasource/sql/SQL.java
+++ b/backend/framework/src/main/java/org/jumpserver/chen/framework/datasource/sql/SQL.java
@@ -36,10 +36,17 @@ public static SQL of(String sql, Map<String, Object> params) {
     }
 
     public static SQL of(String sql, Object... params) {
+        StringBuilder sb = new StringBuilder();
+        int lastPos = 0;
         for (Object param : params) {
-            sql = sql.replaceFirst("\\?", param.toString());
+            int pos = sql.indexOf("?", lastPos);
+            if (pos == -1) break;
+            sb.append(sql, lastPos, pos);
+            sb.append(param.toString()); // 这里直接 append，完全不会触发 $ 报错
+            lastPos = pos + 1;
         }
-        return new SQL(sql);
+        sb.append(sql.substring(lastPos));
+        return new SQL(sb.toString());
     }
 
     public static SQL of(String sql) {