diff --git a/library/vulnerabilities/sql-injection/detectSQLInjection.test.ts b/library/vulnerabilities/sql-injection/detectSQLInjection.test.ts
index 7b46b2f9a..83e65356e 100644
--- a/library/vulnerabilities/sql-injection/detectSQLInjection.test.ts
+++ b/library/vulnerabilities/sql-injection/detectSQLInjection.test.ts
@@ -329,6 +329,13 @@ t.test("It works with non-UTF-8 characters and emojis", async () => {
   isNotSqlInjection("SELECT * FROM users WHERE id = 'a 🛡️'", "a 🛡️");
 });
 
+t.test("detects injection with trailing spaces in user input", async () => {
+  isSqlInjection(
+    "INSERT INTO pets (name, owner) VALUES ('x', 'dummy'), ('injected', 'hacker'); --', 'owner')",
+    "x', 'dummy'), ('injected', 'hacker'); --    "
+  );
+});
+
 const files = [
   // Taken from https://github.com/payloadbox/sql-injection-payload-list/tree/master
   join(__dirname, "payloads", "Auth_Bypass.txt"),
diff --git a/library/vulnerabilities/sql-injection/detectSQLInjection.ts b/library/vulnerabilities/sql-injection/detectSQLInjection.ts
index 8dd5e9af9..0f84b6ad1 100644
--- a/library/vulnerabilities/sql-injection/detectSQLInjection.ts
+++ b/library/vulnerabilities/sql-injection/detectSQLInjection.ts
@@ -17,13 +17,14 @@ export function detectSQLInjection(
   userInput: string,
   dialect: SQLDialect
 ): SQLInjectionDetectionResultType {
-  if (shouldReturnEarly(query, userInput)) {
+  const userInputNormalized = userInput.toLowerCase().trim();
+  if (shouldReturnEarly(query, userInputNormalized)) {
     return SQLInjectionDetectionResult.SAFE;
   }
 
   const code = wasm_detect_sql_injection(
     query.toLowerCase(),
-    userInput.toLowerCase(),
+    userInputNormalized,
     dialect.getWASMDialectInt()
   );