Penetration testing for PHP security vulnerabilities

I am doing a undergrad research paper on "Identifying and Testing security vulnerabilities in websites". Initially I thought I would test manually as I had specified in my methodology that I would only test for few chosen vulnerabilities i.e. SQL injection, Cross site scripting, error reporting, session hijacking and input validations. But as I continued researching I found all articles and tutorials suggested software.

I have few websites that my mates administer so I want to conduct testing on their sites. I am checking for few vulnerabilities on half a dozen websites. Should I use penetration testing tools or just do dynamic penetration testing without software?