diff --git a/vulnerabilities/sqlinjection/detect_sql_injection.go b/vulnerabilities/sqlinjection/detect_sql_injection.go
index fba6c1e7..65ab91b2 100644
--- a/vulnerabilities/sqlinjection/detect_sql_injection.go
+++ b/vulnerabilities/sqlinjection/detect_sql_injection.go
@@ -17,7 +17,7 @@ const (
 func detectSQLInjection(query string, userInput string, dialect int) int {
 	// Lowercase versions of query and user input
 	queryLowercase := strings.ToLower(query)
-	userInputLowercase := strings.ToLower(userInput)
+	userInputLowercase := strings.TrimSpace(strings.ToLower(userInput))
 
 	if shouldReturnEarly(queryLowercase, userInputLowercase) {
 		return sqlInjectionSafe
diff --git a/vulnerabilities/sqlinjection/detect_sql_injection_test.go b/vulnerabilities/sqlinjection/detect_sql_injection_test.go
index 5f83d0db..3801342b 100644
--- a/vulnerabilities/sqlinjection/detect_sql_injection_test.go
+++ b/vulnerabilities/sqlinjection/detect_sql_injection_test.go
@@ -125,6 +125,12 @@ func TestIsSQLInjection(t *testing.T) {
 				   first_name,
 				   last_name
 			FROM users WHERE email_lowercase = '' or 1=1 -- a',`, "' OR 1=1 -- a"},
+
+		// it detects injection when user input has trailing whitespace (trimmed by DB driver)
+		{
+			"INSERT INTO pets (name, owner) VALUES ('x', 'dummy'), ('injected', 'hacker'); --', 'owner')",
+			"x', 'dummy'), ('injected', 'hacker'); --    ",
+		},
 	}
 
 	for _, tt := range tests {