The invention provides an SQL injection and defense method aiming at a data base, which comprises the following steps: (a), receiving SQL statements accessing a data base and sent out by an application system; (b), performing the injection judging and checking to the SQL statements; if the SQL statements are SQL injection, intercepting the SQL injection, recording the mistake, and returning the abnormal information to the application system; if the SQL statements are not the SQL injection, querying an operational interface specification of the corresponding data base required to be accessed by the SQL statements, and splicing SQL statements conform to the data base operational interface specification; (c), sending the specified SQL statements spliced in the step (b) to a corresponding data base to perform data base operation; (d), returning the queried result to the application system. According to the invention, a data base agent server is arranged as per the method provided by the invention, an operation and maintenance method is used for rejecting access permission of any other application system except the data base agent server to the data base, thereby preventing the SQL injection.