Simply examine the source-code to make sure that only placeholders are used, everywhere. That no SQL strings are constructed anywhere. That no literals appear anywhere in an SQL string.