Yeah, I would make the SQL injection and command injections test a little less kinetic =). Using a simple SELECT test, like SELECT @@VERSION, would be a little safer... Edit: Forget to say thanks! This is a pretty cool list.
Not necessarily. If you do a test with good SQL and a second test with SQL Injection and compare the responses that can show SQL Injection exists without having to change the database. This won't work for all SQL injection tests, but I would rather take this approach first.
