SQL injection attacks toward web application increasingly prevalent. Testing to the web that will published is the one of preventive measures. However, this method sometimes ineffective because constrained by various things. Instrusion detection system (IDS) has ability to help and protect the website from various attacks. This study proposed a hybrid IDS for web applications from SQL injection attacks. The IDS built based on hybrid architecture with a signature-based detection method, type of data that will be analyzed is network data packet and error log. The fuzzy logic inference engine used to be drawn the conclusion based on analyzed data. Proposed hybrid IDS tested against various types of SQL injection attack, such as Tautology, UNION query, Piggy-backed query, Malformed query, Stored Procedure, and Alternate Encoding. System testing is done with three scenarios with the aim of seeing the hybrid IDS response to the occurrence of false positives and false negative, including: testing with normal website access, testing with normal website access but inserting suspicious strings as part of SQL injection, and access that is truly a SQL injection attack. The result test shows that proposed hybrid IDS has good performance on detecting the various type of SQL injection attack, and significantly reduce or even remove the false positive and false negative.