Quantum private query (QPQ) is a communication protocol established under the condition of mutual distrust between communication parties, which is used to solve the symmetrically private information retrieval problem in the quantum field. However, most of the existing QPQ protocols are based on the ideal light source. In practice, the multi-photon pulse generated by the transmitter will bring great security problems. We analyze the actual security of QPQ protocol in two-way communication, and find that database security and user privacy will be seriously threatened under multi-photon pulse. So we adopt the decoy state method to solve the actual security problem of QPQ protocol in view of the user side as the light source. The results show that the decoy state method is suitable for QPQ protocol of two-way communication, and can effectively defend against multi-photon pulse attacks.