With respect to SQL injection, it seems to me that it will be very hard to rule out.
Wherever there is a form with text input, it will be up to the server to properly sanitize and protect the database calls. I can't think of any way to test what the server does with the input - except trying to destroy the database
- which would not be popular.
Even if you can detect that the form uses JavaScript to check text input content, is that enough to provide security?
Bill