Abstract: With the rapid development of Internet technology, Web applications are becoming widespread, Web applications based on database have been widely used in a variety of enterprise business systems. However, due to the uneven experience of developers, there are a lot of security risks in Web applications. There are many factors that affect the security of Web applications. SQL injection attack is the most common and easiest to implement, and is considered to be the most destructive. Therefore, to prevent SQL injection attack is critical to Web applications, and how to prevent SQL injection attck effectively becomes an important research. The SQL injection attack uses the syntax of structured query language to attack. The traditional SQL injection attack defense model defenses SQL injection attacks by filtering user inputs and implementing syntax comparison, when malicious data in the database is added to the dynamic SQL statement, second-order SQL injection attack could occur. This paper proposes a second-order SQL injection attack defense model based on improved parameterized on the basis of previous studies. The proposed model consists of an input filter module, an index replacement module, a syntax comparison module and a parameterized replacement module. Experiments show that the proposed model can effectively prevent the second-order SQL injection attacks .