Injection flaw results from invalidated input so proper input validation is an effective countermeasure to protect against injection attack. Some programs are poorly written, lacking even the most basic security procedures for sanitizing input. Furthermore some legacy applications may not be viable to modify the source of such components. The input validation vulnerability can be detected by many tools but very few tools can automatically fix the flaws. We had been devoted to the study of automated defense mechanism for Web application injection attack, and developed a security safeguard having a good “scalability” when applied to Web site growth or unknown injection attacks. It is transparent and independent of programming languages and requires neither application developer’s interactions nor source code modifications. To verify the effectiveness and efficiency of the defense mechanism, we focus on whether the detection errors had been reduced and the detection speediness and accuracy of identifying Web crawler. The experimental results show that our method renders least errors in comparison with other sanitizing strategies, and various Web visitors can be correctly and quickly differentiated in accordance with security policy.