diff --git a/inventory-backend/app/api/v1/inbound/stock.py b/inventory-backend/app/api/v1/inbound/stock.py
index c2f6fbf..c1234ef 100644
--- a/inventory-backend/app/api/v1/inbound/stock.py
+++ b/inventory-backend/app/api/v1/inbound/stock.py
@@ -10,6 +10,14 @@ from app.models.inbound.buy import StockBuy
 from app.models.inbound.stocktake import StocktakeDraft
 from app.models.transaction import TransBorrow
 
+
+def _normalize_user_id(user_id):
+    """规范化 user_id，确保是有效字符串"""
+    if not user_id or not isinstance(user_id, str) or len(user_id) > 100:
+        return 'admin'
+    return user_id.strip()
+
+
 # 尝试导入半成品和成品
 try:
     from app.models.inbound.semi import StockSemi
@@ -119,7 +127,7 @@ def get_drafts():
     获取当前用户的盘点进度
     支持过滤: session_id, is_finished, is_processed
     """
-    user_id = request.args.get('user_id', 'admin')
+    user_id = _normalize_user_id(request.args.get('user_id', 'admin'))
     session_id = request.args.get('session_id')
     is_finished = request.args.get('is_finished')
     is_processed = request.args.get('is_processed')
@@ -146,7 +154,7 @@ def add_draft():
     """
     try:
         data = request.json
-        user_id = data.get('user_id', 'admin')
+        user_id = _normalize_user_id(data.get('user_id', 'admin'))
         uuid = data.get('uuid')
         quantity = float(data.get('quantity', 1))
         session_id = data.get('session_id')
@@ -212,7 +220,7 @@ def clear_draft():
     支持清除指定 session_id 的记录，或清除所有未完成的记录
     """
     data = request.json
-    user_id = data.get('user_id', 'admin')
+    user_id = _normalize_user_id(data.get('user_id', 'admin'))
     session_id = data.get('session_id')
 
     try:
@@ -243,7 +251,7 @@ def start_new_session():
     2. 返回新的 session_id
     """
     data = request.json
-    user_id = data.get('user_id', 'admin')
+    user_id = _normalize_user_id(data.get('user_id', 'admin'))
 
     try:
         # 清除旧的未处理盘点数据
@@ -279,7 +287,7 @@ def finish_stocktake():
     3. 不删除任何草稿数据，保留历史
     """
     data = request.json
-    user_id = data.get('user_id', 'admin')
+    user_id = _normalize_user_id(data.get('user_id', 'admin'))
     session_id = data.get('session_id')
 
     if not session_id:
@@ -330,7 +338,7 @@ def get_variance_report():
     返回所有 is_finished=True 且 is_processed=False 的记录
     即：已结束盘点但尚未手动平账的差异记录
     """
-    user_id = request.args.get('user_id', 'admin')
+    user_id = _normalize_user_id(request.args.get('user_id', 'admin'))
     session_id = request.args.get('session_id')
 
     try: