| ||
Any application that has the following pattern is at risk of SQL injection:
Takes user input
Does not check user input for validity
Uses user-input data to query a database
Uses string concatenation or string replacement to build the SQL query or uses the SQL exec command (or similar)