[amjo324]

As per my other comment below, the intended use case for SQLmap is more around exploitation rather than identifying injection points. Penetration testers will usually identify the injectable parameters through other means (e.g. using purpose built security HTTP proxy software such as 'Burp Suite' and 'Zed Attack Proxy'). After they have confirmed the existence of SQLi, they will then feed the HTTP request and vulnerable parameter into SQLMap to automate exploitation (i.e. dump DB contents and hashes etc).

I would say that SQLmap is normally effective at determining whether a HTTP parameter is injectable with a high degree of confidence. However, sometimes there will be Web Application Firewall (WAF) filters or unusual/inconsistent application behaviour on certain inputs which means it can't confirm whether the parameter is definitely vulnerable or not (less than 10% of the time in my experience). For the same reasons, often it won't be able to successfully automate the exploitation for you. On those occasions, we have to craft our queries manually to exfiltrate database contents and so forth.