SQL injection attack is a common type of attack against Web application vulnerabilities. Any form of SQL injection attacks will eventually change the logical structure of the original SQL statement， going against the original intention of the designer. The existing SQL injection attack detection methods have the shortcomings that the detection code is not easily reusable and cannot be injected into Web application online. Therefore， a model for online detection of SQL injection attacks based on Event Condition Action （ECA） rules and dynamic taint analysis was proposed. Firstly， taint marking rules were defined to monitor taint source functions， thereby marking data imported from outside of the system. Then， taint propagation rules were defined to track the flow of taint data inside the application in real time. Next， taint checking rules were defined to intercept the parameters of the taint sink functions and parse taint states they may carry. Finally， the ECA rule scripts were loaded at the runtime of the original Web application for the purpose of online detection of SQL injection attacks， and the Web application did not need to be recompiled， packaged and deployed. The proposed model was implemented by using Byteman. In two different Web application test experiments， the proposed model can identify most of the SQL injection attack samples， and there are no false positives for normal request samples， the detection accuracy of the proposed model reaches 99.42%， which is better than those of Support Vector Machine （SVM） based method and Term Frequency-Inverse Document Frequency （TF-IDF） based method. Compared with the method based on Aspect-Oriented Programming （AOP）， the proposed model is easy to load the detection module online after Web applications are started. Experimental results show that the proposed model can detect 6 common forms of SQL injection attacks without modifying execution engine and source code of the application， and has the advantage of online detection.