The invention relates to a method for detecting SQL (structured query language) injection vulnerability, comprising the following steps: 1, capturing user input data; 2, generating harmless input; 3, carrying out SQL lexical analysis and syntactic analysis to generate SQL syntax trees, wherein the SQL syntax trees comprise a syntax tree based on user input word strings and a syntax tree based on harmless word strings; 4, comparing the two SQL syntax trees, and if the two SQL syntax trees are same, considering a group of testing word strings to pass a test; and 5, responding the result, if a user attempting to carry out SQL injection is found out, blocking an HTTP (hyper text transport protocol) package, and otherwise, releasing the HTTP package. In the method, analyzed objects are input by the user directly or indirectly, thus maximally restoring the real intentions of the user and reducing the rate of false alarm; and meanwhile, based on the analysis of the SQL syntax trees, the SQL injection can be blocked fundamentally, thereby improving the accuracy rate of the detection.