: OK, they parse into Abstract Syntax Trees and use control flow graphs, : they're definitely better than mine. Nice. Does this mean that the program isn't prone to finding the sql errors that are not true sql injections? If so.. =)