All those options are nice, but you still need to check for the front end code. Back when I started coding, we used to concatenate sql strings on the front end and would appear as ad-hoc calls in the database.
I know that there are some tools that help to identify vulnerabilities, but I don't use any of them and can't recommend them.