[maigret]

There are some pretty (free) good tools out there to test against most injections methods. I'm not saying having a conceptual grasp of security hurts ;) All in all, you can't know all methods - and the tools won't probably know much less.

[masomenos]

Every security professional I've heard speak emphasizes the importance of grasping what they tend to call "the security mindset". Which I understand to mean putting yourself in the place of an attacker and asking how your code could be taken advantage of.

Running an automated tool against your web app isn't a bad idea, but it's no replacement for thinking about what you're doing.