sql-code-review
Scannednpx machina-cli add skill github/awesome-copilot/sql-code-review --openclawFiles (1)
SKILL.md
8.7 KB
SQL Code Review
Perform a thorough SQL code review of ${selection} (or entire project if no selection) focusing on security, performance, maintainability, and database best practices.
๐ Security Analysis
SQL Injection Prevention
-- โ CRITICAL: SQL Injection vulnerability
query = "SELECT * FROM users WHERE id = " + userInput;
query = f"DELETE FROM orders WHERE user_id = {user_id}";
-- โ
SECURE: Parameterized queries
-- PostgreSQL/MySQL
PREPARE stmt FROM 'SELECT * FROM users WHERE id = ?';
EXECUTE stmt USING @user_id;
-- SQL Server
EXEC sp_executesql N'SELECT * FROM users WHERE id = @id', N'@id INT', @id = @user_id;
Access Control & Permissions
- Principle of Least Privilege: Grant minimum required permissions
- Role-Based Access: Use database roles instead of direct user permissions
- Schema Security: Proper schema ownership and access controls
- Function/Procedure Security: Review DEFINER vs INVOKER rights
Data Protection
- Sensitive Data Exposure: Avoid SELECT * on tables with sensitive columns
- Audit Logging: Ensure sensitive operations are logged
- Data Masking: Use views or functions to mask sensitive data
- Encryption: Verify encrypted storage for sensitive data
โก Performance Optimization
Query Structure Analysis
-- โ BAD: Inefficient query patterns
SELECT DISTINCT u.*
FROM users u, orders o, products p
WHERE u.id = o.user_id
AND o.product_id = p.id
AND YEAR(o.order_date) = 2024;
-- โ
GOOD: Optimized structure
SELECT u.id, u.name, u.email
FROM users u
INNER JOIN orders o ON u.id = o.user_id
WHERE o.order_date >= '2024-01-01'
AND o.order_date < '2025-01-01';
Index Strategy Review
- Missing Indexes: Identify columns that need indexing
- Over-Indexing: Find unused or redundant indexes
- Composite Indexes: Multi-column indexes for complex queries
- Index Maintenance: Check for fragmented or outdated indexes
Join Optimization
- Join Types: Verify appropriate join types (INNER vs LEFT vs EXISTS)
- Join Order: Optimize for smaller result sets first
- Cartesian Products: Identify and fix missing join conditions
- Subquery vs JOIN: Choose the most efficient approach
Aggregate and Window Functions
-- โ BAD: Inefficient aggregation
SELECT user_id,
(SELECT COUNT(*) FROM orders o2 WHERE o2.user_id = o1.user_id) as order_count
FROM orders o1
GROUP BY user_id;
-- โ
GOOD: Efficient aggregation
SELECT user_id, COUNT(*) as order_count
FROM orders
GROUP BY user_id;
๐ ๏ธ Code Quality & Maintainability
SQL Style & Formatting
-- โ BAD: Poor formatting and style
select u.id,u.name,o.total from users u left join orders o on u.id=o.user_id where u.status='active' and o.order_date>='2024-01-01';
-- โ
GOOD: Clean, readable formatting
SELECT u.id,
u.name,
o.total
FROM users u
LEFT JOIN orders o ON u.id = o.user_id
WHERE u.status = 'active'
AND o.order_date >= '2024-01-01';
Naming Conventions
- Consistent Naming: Tables, columns, constraints follow consistent patterns
- Descriptive Names: Clear, meaningful names for database objects
- Reserved Words: Avoid using database reserved words as identifiers
- Case Sensitivity: Consistent case usage across schema
Schema Design Review
- Normalization: Appropriate normalization level (avoid over/under-normalization)
- Data Types: Optimal data type choices for storage and performance
- Constraints: Proper use of PRIMARY KEY, FOREIGN KEY, CHECK, NOT NULL
- Default Values: Appropriate default values for columns
๐๏ธ Database-Specific Best Practices
PostgreSQL
-- Use JSONB for JSON data
CREATE TABLE events (
id SERIAL PRIMARY KEY,
data JSONB NOT NULL,
created_at TIMESTAMPTZ DEFAULT NOW()
);
-- GIN index for JSONB queries
CREATE INDEX idx_events_data ON events USING gin(data);
-- Array types for multi-value columns
CREATE TABLE tags (
post_id INT,
tag_names TEXT[]
);
MySQL
-- Use appropriate storage engines
CREATE TABLE sessions (
id VARCHAR(128) PRIMARY KEY,
data TEXT,
expires TIMESTAMP
) ENGINE=InnoDB;
-- Optimize for InnoDB
ALTER TABLE large_table
ADD INDEX idx_covering (status, created_at, id);
SQL Server
-- Use appropriate data types
CREATE TABLE products (
id BIGINT IDENTITY(1,1) PRIMARY KEY,
name NVARCHAR(255) NOT NULL,
price DECIMAL(10,2) NOT NULL,
created_at DATETIME2 DEFAULT GETUTCDATE()
);
-- Columnstore indexes for analytics
CREATE COLUMNSTORE INDEX idx_sales_cs ON sales;
Oracle
-- Use sequences for auto-increment
CREATE SEQUENCE user_id_seq START WITH 1 INCREMENT BY 1;
CREATE TABLE users (
id NUMBER DEFAULT user_id_seq.NEXTVAL PRIMARY KEY,
name VARCHAR2(255) NOT NULL
);
๐งช Testing & Validation
Data Integrity Checks
-- Verify referential integrity
SELECT o.user_id
FROM orders o
LEFT JOIN users u ON o.user_id = u.id
WHERE u.id IS NULL;
-- Check for data consistency
SELECT COUNT(*) as inconsistent_records
FROM products
WHERE price < 0 OR stock_quantity < 0;
Performance Testing
- Execution Plans: Review query execution plans
- Load Testing: Test queries with realistic data volumes
- Stress Testing: Verify performance under concurrent load
- Regression Testing: Ensure optimizations don't break functionality
๐ Common Anti-Patterns
N+1 Query Problem
-- โ BAD: N+1 queries in application code
for user in users:
orders = query("SELECT * FROM orders WHERE user_id = ?", user.id)
-- โ
GOOD: Single optimized query
SELECT u.*, o.*
FROM users u
LEFT JOIN orders o ON u.id = o.user_id;
Overuse of DISTINCT
-- โ BAD: DISTINCT masking join issues
SELECT DISTINCT u.name
FROM users u, orders o
WHERE u.id = o.user_id;
-- โ
GOOD: Proper join without DISTINCT
SELECT u.name
FROM users u
INNER JOIN orders o ON u.id = o.user_id
GROUP BY u.name;
Function Misuse in WHERE Clauses
-- โ BAD: Functions prevent index usage
SELECT * FROM orders
WHERE YEAR(order_date) = 2024;
-- โ
GOOD: Range conditions use indexes
SELECT * FROM orders
WHERE order_date >= '2024-01-01'
AND order_date < '2025-01-01';
๐ SQL Review Checklist
Security
- All user inputs are parameterized
- No dynamic SQL construction with string concatenation
- Appropriate access controls and permissions
- Sensitive data is properly protected
- SQL injection attack vectors are eliminated
Performance
- Indexes exist for frequently queried columns
- No unnecessary SELECT * statements
- JOINs are optimized and use appropriate types
- WHERE clauses are selective and use indexes
- Subqueries are optimized or converted to JOINs
Code Quality
- Consistent naming conventions
- Proper formatting and indentation
- Meaningful comments for complex logic
- Appropriate data types are used
- Error handling is implemented
Schema Design
- Tables are properly normalized
- Constraints enforce data integrity
- Indexes support query patterns
- Foreign key relationships are defined
- Default values are appropriate
๐ฏ Review Output Format
Issue Template
## [PRIORITY] [CATEGORY]: [Brief Description]
**Location**: [Table/View/Procedure name and line number if applicable]
**Issue**: [Detailed explanation of the problem]
**Security Risk**: [If applicable - injection risk, data exposure, etc.]
**Performance Impact**: [Query cost, execution time impact]
**Recommendation**: [Specific fix with code example]
**Before**:
```sql
-- Problematic SQL
After:
-- Improved SQL
Expected Improvement: [Performance gain, security benefit]
### Summary Assessment
- **Security Score**: [1-10] - SQL injection protection, access controls
- **Performance Score**: [1-10] - Query efficiency, index usage
- **Maintainability Score**: [1-10] - Code quality, documentation
- **Schema Quality Score**: [1-10] - Design patterns, normalization
### Top 3 Priority Actions
1. **[Critical Security Fix]**: Address SQL injection vulnerabilities
2. **[Performance Optimization]**: Add missing indexes or optimize queries
3. **[Code Quality]**: Improve naming conventions and documentation
Focus on providing actionable, database-agnostic recommendations while highlighting platform-specific optimizations and best practices.
Source
git clone https://github.com/github/awesome-copilot/blob/main/plugins/database-data-management/skills/sql-code-review/SKILL.mdView on GitHub Overview
sql-code-review performs comprehensive security, maintainability, and quality analysis across major SQL engines (MySQL, PostgreSQL, SQL Server, Oracle). It targets SQL injection prevention, access control, code standards, and anti-patterns, complementing optimization prompts for complete coverage.
How This Skill Works
The tool analyzes the selected SQL (or entire project) for vulnerabilities, performance antipatterns, and maintainability issues. It returns actionable findings with fixes and example code snippets aligned to database-specific best practices.
When to Use It
- Review new or existing SQL scripts for security flaws before deployment
- Audit access controls and schema permissions during role changes
- Refactor queries to fix anti-patterns and improve readability
- Prepare code for CI/CD by enforcing style and standards
- Tune performance by analyzing joins, indexes, and aggregation patterns
Quick Start
- Step 1: Run sql-code-review on the target SQL or project
- Step 2: Inspect findings in the Security, Performance, and Quality sections
- Step 3: Apply suggested fixes or snippets and re-run
Best Practices
- Prioritize parameterized queries to prevent SQL injection
- Apply least privilege and use roles over direct grants
- Avoid SELECT * and mask sensitive columns in results
- Name objects consistently and follow naming conventions
- Review indexes, avoid over-indexing, and maintain statistics
Example Use Cases
- Converted vulnerable dynamic SQL to prepared statements
- Implemented RBAC and schema ownership to enforce least privilege
- Rewrote a complex DISTINCT-based query to equivalent JOIN-based query
- Added data masking via views for sensitive fields
- Detected missing join conditions and eliminated cartesian products
Frequently Asked Questions
Add this skill to your agents
