diff --git a/src/Core/Application/Services/TextToSqlService.cs b/src/Core/Application/Services/TextToSqlService.cs
index fae8deb..1b77657 100644
--- a/src/Core/Application/Services/TextToSqlService.cs
+++ b/src/Core/Application/Services/TextToSqlService.cs
@@ -637,9 +637,10 @@ public class TextToSqlService : ITextToSqlService
                 ? dto.TagNames
                 : await GetAllTagNamesAsync(conn);
 
-            var from = dto.From?.ToString("yyyy-MM-dd HH:mm:ss") ?? DateTime.Now.AddDays(-1).ToString("yyyy-MM-dd HH:mm:ss");
-            var to = dto.To?.ToString("yyyy-MM-dd HH:mm:ss") ?? DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss");
-
+            // 날짜 파라미터도 SQL 인젝션 방지를 위해 parameterized 처리
+            var fromTimestamp = dto.From ?? DateTime.Now.AddDays(-1);
+            var toTimestamp = dto.To ?? DateTime.Now;
+            
             var tagResults = new List<AnalysisTagResult>();
 
             foreach (var tagName in tagNames)
@@ -660,8 +661,8 @@ public class TextToSqlService : ITextToSqlService
 
                 using var cmd = new NpgsqlCommand(sql, conn);
                 cmd.Parameters.AddWithValue("@tagName", tagName);
-                cmd.Parameters.AddWithValue("@fromTimestamp", DateTime.Parse(from));
-                cmd.Parameters.AddWithValue("@toTimestamp", DateTime.Parse(to));
+                cmd.Parameters.AddWithValue("@fromTimestamp", fromTimestamp);
+                cmd.Parameters.AddWithValue("@toTimestamp", toTimestamp);
                 
                 using var reader = await cmd.ExecuteReaderAsync();