试图从正面检测漏洞的可能的帮助，但真的是你应该看的code，特别是所有code，涉及到的DbCommand，的SqlCommand等的关键点，因为你清楚的知道，是从来没有将用户输入到一个查询，但对其进行参数化。有可用的好工具，可以让这个参数设置很容易做到 - 至少，比人工手动操作更容易。例如，如果您有：

Trying to detect the vulnerabilities from the front may help, but really you should be looking at the code, in particular all code that relates to DbCommand, SqlCommand, etc. The key point, as you clearly know, is never to concatenate user input into a query, but to parameterise it. There are good tools available that can make this parameterisation easy to do - or at least, easier than doing it manually. For example, if you have:

using(var cmd = conn.CreateCommand()) {
    cmd.CommandText = "delete from Orders where id = " + id;
    cmd.ExecuteNonQuery();
}

然后像短小精悍点网的一个工具可以让你做这样的事情：

then a tool like dapper-dot-net will allow you to do things like:

conn.Execute("delete from Orders where id = @id", new {id});

这就是少 code，很大程度上是复制粘贴，而是完全注射安全，并允许查询计划重新使用。

which is less code, largely a copy-paste, but is fully injection-safe and allows query-plan re-use.