To solve the SQL injection problem in the Web security, a new SQL injection filtering method named LFS (length-frequency-SQL syntax tree) is proposed in this study. The LFS includes two phases: the learning and the filtering phase. In the learning phase, the URL and the SQL statement mapping table are built based on the crawler and the database agent in a secure environment. In the filtering phase, the URL length, the access frequency, and the SQL syntax tree are detected to filter the user input to prevent SQL injection attacks. Simulation experiments and results analysis denote that the proposed LFS method can prevent SQL injection attacks more effectively than the traditional keyword filtering and regular expression filtering methods.