Yes and no. First i'll preface this by saying I'm not just posting links but have done security audits professionally using all of these tools and not as a developer on a project but an external resource. Note that generally sqlserver injection is different than mysql as well.

是和否。首先，我会先说我不只是发布链接，而是使用所有这些工具专业地进行安全审计，而不是作为项目的开发人员，而是作为外部资源。请注意，通常 sqlserver 注入也与 mysql 不同。

Free tools like paros proxy [crawls] (previously mentioned),

像paros proxy [crawls]（前面提到的）这样的免费工具，

burpsuite (previously mentioned [crawls] but active attacks requires pro): http://portswigger.net/burp/

burpsuite（之前提到过 [crawls] 但主动攻击需要专业人士）：http://portswigger.net/burp/

sqlninja (sqlserver only) http://sqlninja.sourceforge.net/

sqlninja（仅限 sqlserver）http://sqlninja.sourceforge.net/

google rat proxy: [crawls] http://code.google.com/p/ratproxy/

谷歌老鼠代理：[爬行] http://code.google.com/p/ratproxy/

websecurify: [crawls] http://www.websecurify.com/

websecurify：[爬行] http://www.websecurify.com/

wapiti: [crawls but takes work to set up - can be used specifically for sqli with spider] http://wapiti.sourceforge.net/

wapiti：[爬行但需要工作来设置 - 可以专门用于带有蜘蛛的 sqli] http://wapiti.sourceforge.net/

nikto: [crawls but not for sqli...]

nikto: [爬行但不是为sqli...]

are great! They can help you identify problems but take a great deal of human analysis due to large amounts of false positives. Commercial tools are available like:

很棒！它们可以帮助您识别问题，但由于存在大量误报，因此需要进行大量人工分析。商业工具可用，例如：

NTOSpider (one of the best [crawls!]) : http://www.ntobjectives.com/software/ntospider

NTOSpider（最好的 [爬行！] 之一）：http://www.ntobjectives.com/software/ntospider

are very expensive but talking to a rep will get you a free copy for a period of time (which I have done with them). They make sorting through results faster by providing validation links in the reports but you STILL need a trained eye and analysis as I have found false positives.

非常昂贵，但与代表交谈会为您提供一段时间的免费副本（我已经与他们一起完成了）。他们通过在报告中提供验证链接来更快地对结果进行排序，但您仍然需要训练有素的眼睛和分析，因为我发现了误报。

Ultimately the correct answer to this question is: You can use tools to help you identify if there are security (sqli) vulnerabilities but only a trained eye using the tools can validate them. Further only a proper code review and analysis can identify vulnerabilities that an app (even a very good one) may miss.

最终，这个问题的正确答案是：您可以使用工具来帮助您确定是否存在安全 (sqli) 漏洞，但只有经过训练的眼睛使用这些工具才能验证它们。此外，只有适当的代码和分析才能识别应用程序（即使是非常好的应用程序）可能会遗漏的漏洞。

Tools can help but you need human time and analysis to do this correctly. Proxies and request manglers are the real tools for hitting the app with injection and are done with careful intention of trained testers or those with a curious mind.

工具可以提供帮助，但您需要人工时间和分析才能正确执行此操作。代理和请求管理器是通过注入攻击应用程序的真正工具，并且是经过训练有素的测试人员或具有好奇心的测试人员的谨慎意图完成的。

I have two favorite tools (both free):

我有两个最喜欢的工具（都是免费的）：

1. sqlmap- You give it a URL, and it automatically scans for vulnerabilities. If it gets in, it gives you a SQL prompt.
2. Paros Proxy- This one takes a little longer to set up. You have to configure your browser to use a proxy and then use your site (log in, navigate to other pages, etc.). Once you're done, it will analyze its cache of all the requests you made and show a report of the potential vulnerabilities it found.

1. sqlmap- 你给它一个 URL，它会自动扫描漏洞。如果它进入，它会给你一个 SQL 提示。
2. Paros 代理- 这个需要更长的时间来设置。您必须将浏览器配置为使用代理，然后才能使用您的站点（登录、导航到其他页面等）。完成后，它将分析您发出的所有请求的缓存，并显示它发现的潜在漏洞的报告。

The Burp Scannerworks extremely well for finding SQL injection as well as a variety of other things. You have to shell out $300 for the scanner though, but that is fairly cheap when looking at other scanners in the market.

该打嗝扫描仪的工作原理非常好寻找SQL注入以及其他各种东西。虽然您必须为扫描仪支付 300 美元，但在市场上查看其他扫描仪时，这是相当便宜的。

To elaborate, what you are looking for is a web application vulnerability scanner. These will crawl your site and send attack vectors into various parameters. Of all the scanners that I have used, Burp has given me the best results and has great performance. If you are looking for a free alternative you can try Grendel ScanIt has not been updated in a while but still works pretty well. Especially for a free tool.

详细说明，您正在寻找的是 Web 应用程序漏洞扫描程序。这些将抓取您的站点并将攻击向量发送到各种参数中。在我使用过的所有扫描仪中，Burp 给了我最好的结果并且具有出色的性能。如果您正在寻找免费的替代方案，您可以尝试Grendel Scan它已经有一段时间没有更新了，但仍然运行良好。特别是对于免费工具。

Here is a listof some the other vulnerability scanners that are out there. I am sure you will find something to meet your needs.

以下是一些其他漏洞扫描程序的列表。我相信你会找到满足你需求的东西。

There are enormous tools present in market for crawling all pages and detecting SQL injections. You should read this discussion it's never late How can I prevent SQL injection in PHP?and Testing for security vulnerabilities in web applications: Best practices?.

市场上有大量工具可用于抓取所有页面和检测 SQL 注入。您应该阅读这个讨论，它永远不会迟到如何在 PHP 中防止 SQL 注入？和测试 Web 应用程序中的安全漏洞：最佳实践？.

I would suggest Wapitifor finding web application vulnerabilities. Acunetix is over priced.

我建议使用Wapiti查找 Web 应用程序漏洞。Acunetix 价格过高。

See more:

查看更多：

• web-application-security-testing-tools

• 网络应用程序安全测试工具

There are programs to detect SQL injections, for example:

有一些程序可以检测 SQL 注入，例如：

• BSQL Hacker

• Absinthe

• Acunetix Vulnerability Scanner

• Netsparker

• BSQL黑客

• 苦艾酒

• Acunetix 漏洞扫描器

• 网络火花

What I test in my sites :

我在我的网站上测试的内容：

If you have log-in form for example try to enter:

例如，如果您有登录表单，请尝试输入：

username field : anytext or 1=1'

用户名字段：anytext 或 1=1'

Password field : anypassword

密码字段：anypassword

if you didn't cover sql injection in your code , you can login by that .

如果你的代码中没有包括 sql 注入，你可以通过它登录。

Thanks

谢谢