diff --git a/extend/r2-storage/src/R2FileHandler.php b/extend/r2-storage/src/R2FileHandler.php
index e0b6cc0..eee65e3 100644
--- a/extend/r2-storage/src/R2FileHandler.php
+++ b/extend/r2-storage/src/R2FileHandler.php
@@ -117,6 +117,11 @@ class R2FileHandler
      */
     public function handleUpload(array $file, string $boTable, int $memberId = 0, string $type = 'board'): array
     {
+        // 필수 키 체크
+        if (!isset($file['error']) || !isset($file['tmp_name']) || !isset($file['name']) || !isset($file['size'])) {
+            return ['success' => false, 'error' => 'Invalid file array'];
+        }
+
         // 업로드 에러 체크
         if ($file['error'] !== UPLOAD_ERR_OK) {
             return $this->handleUploadError($file['error']);
diff --git a/extend/r2_hooks.php b/extend/r2_hooks.php
index 7bba56e..9a93df4 100644
--- a/extend/r2_hooks.php
+++ b/extend/r2_hooks.php
@@ -221,10 +221,17 @@ function r2_migrate_board_files(string $boTable, int $limit = 100): array
     $handler = get_r2_handler();
     $results = ['migrated' => 0, 'failed' => 0, 'skipped' => 0, 'errors' => []];
 
+    // 테이블명 검증 (영문, 숫자, 언더스코어만 허용)
+    if (!preg_match('/^[a-zA-Z0-9_]+$/', $boTable)) {
+        return ['success' => false, 'error' => 'Invalid table name'];
+    }
+
+    $limit = (int) $limit;
+
     // 아직 마이그레이션되지 않은 파일 조회
     $sql = "SELECT bf_no, wr_id, bf_file, bf_source
             FROM {$g5['board_file_table']}
-            WHERE bo_table = '{$boTable}'
+            WHERE bo_table = '" . sql_real_escape_string($boTable) . "'
               AND (bf_storage_type IS NULL OR bf_storage_type = 'local')
               AND bf_r2_key IS NULL
             LIMIT {$limit}";
@@ -240,10 +247,12 @@ function r2_migrate_board_files(string $boTable, int $limit = 100): array
         }
 
         // 회원 ID 조회 (게시글에서)
-        $write = sql_fetch("SELECT mb_id FROM {$g5['write_prefix']}{$boTable} WHERE wr_id = '{$row['wr_id']}'");
+        $wrId = (int) $row['wr_id'];
+        $write = sql_fetch("SELECT mb_id FROM {$g5['write_prefix']}{$boTable} WHERE wr_id = '{$wrId}'");
         $memberId = 0;
-        if ($write['mb_id']) {
-            $member = sql_fetch("SELECT mb_no FROM {$g5['member_table']} WHERE mb_id = '{$write['mb_id']}'");
+        if (!empty($write['mb_id'])) {
+            $mbId = sql_real_escape_string($write['mb_id']);
+            $member = sql_fetch("SELECT mb_no FROM {$g5['member_table']} WHERE mb_id = '{$mbId}'");
             $memberId = (int) ($member['mb_no'] ?? 0);
         }