In my experience advising clients, there are some expedient tactics that can quickly be applied to addressing 'Inappropriate Use of Substitution Syntax' errors spotted by APEX Advisor. The below decision tree, hopefully, addresses 90% of situations. The main take-away from the below is that 90% of your SQL Injection vulnerabilities will take care of themselves if you simply lean in to APEX's handy declarative report-building / link-building utilities.