SQL Code Review

An AI skill that reviews SQL queries and database code for performance issues, security vulnerabilities, and best practice violations, improving query efficiency and preventing injection attacks.

What Is This?

Overview

This skill analyzes SQL code including queries, stored procedures, migrations, and schema definitions. It checks for performance pitfalls like missing indexes, N+1 query patterns, and full table scans. It flags security issues such as SQL injection vectors and overly permissive grants. It also reviews code style for readability, naming consistency, and proper use of database features. Each finding includes a severity level and a concrete fix.

Who Should Use This

Essential for backend developers writing database queries, DBAs reviewing schema changes, and teams without dedicated database expertise. Valuable during code review when reviewers lack SQL specialization.

Why Use It?

Problems It Solves

SQL bugs are expensive. A missing index can slow a query from milliseconds to minutes under load. An injection vulnerability can expose an entire database. Poor schema design creates technical debt that compounds with every new feature. Most review processes focus on application logic and miss database layer issues.

Core Highlights

• Performance Analysis identifies slow query patterns and suggests index strategies
• Security Scanning detects injection vulnerabilities and permission issues
• Style Review checks naming conventions, formatting, and readability
• Migration Safety validates schema changes for backward compatibility
• Platform Aware understands dialect differences across PostgreSQL, MySQL, and SQLite

How to Use It?

Basic Usage

Submit SQL code and receive a detailed review with categorized findings.

-- Before review
SELECT * FROM orders
WHERE customer_id IN (
  SELECT id FROM customers WHERE region = 'US'
)
AND created_at > '2024-01-01'
ORDER BY created_at DESC;

-- Review findings:
-- [PERF] Avoid SELECT * - specify only needed columns
-- [PERF] Replace IN subquery with JOIN for better optimization
-- [PERF] Add index on orders(customer_id, created_at)
-- [STYLE] Use ISO date format with explicit cast

-- After review
SELECT o.id, o.total, o.created_at, o.status
FROM orders o
INNER JOIN customers c ON c.id = o.customer_id
WHERE c.region = 'US'
  AND o.created_at > DATE '2024-01-01'
ORDER BY o.created_at DESC;

Real-World Examples

E-Commerce Query Optimization

A retail platform experienced slow page loads during peak traffic. SQL code review identified that the product listing query was performing a full table scan on a 2 million row table because the WHERE clause used a function on an indexed column, preventing index usage.

-- Flagged: function on indexed column prevents index use
SELECT id, name, price FROM products
WHERE LOWER(category) = 'electronics'
  AND active = true;

-- Fixed: use a generated column or case-insensitive collation
ALTER TABLE products
  ADD COLUMN category_lower TEXT
  GENERATED ALWAYS AS (LOWER(category)) STORED;
CREATE INDEX idx_products_cat ON products(category_lower);

-- Alternative: Use citext extension (PostgreSQL)
ALTER TABLE products ALTER COLUMN category TYPE citext;

Advanced Tips

Integrate SQL review into your pull request workflow by running it on migration files automatically. Use EXPLAIN output alongside review findings to validate performance recommendations. Focus on queries running in hot paths first.

When to Use It?

Use Cases

• Pull Request Reviews catch SQL issues before they merge to main
• Migration Validation verify schema changes are safe and backward compatible
• Performance Debugging identify why specific queries are slow under load
• Security Audits scan stored procedures and dynamic queries for injection risks
• Database Refactoring improve existing queries during technical debt sprints

Related Topics

When working with SQL code review, these prompts activate the skill:

• "Review this SQL query for performance issues"
• "Check my migration for problems"
• "Find security issues in this database code"
• "Optimize this slow query"

Important Notes

Requirements

• Supports PostgreSQL, MySQL, SQLite, and standard SQL syntax
• Works with raw queries, stored procedures, and migration scripts
• Benefits from schema context to validate column references and types
• EXPLAIN plan output helps validate performance recommendations

Usage Recommendations

Do:

• Include table schemas when submitting queries for more accurate review
• Review migration scripts before running as schema changes are hard to reverse
• Address security findings immediately regardless of other priorities
• Run EXPLAIN on flagged queries to confirm performance analysis

Don't:

• Ignore warnings about missing indexes as they cause issues at scale
• Use dynamic SQL string concatenation since parameterized queries prevent injection
• Apply fixes without testing as query behavior depends on data distribution
• Skip reviewing generated ORM queries since they often contain hidden inefficiencies

Limitations

• Cannot analyze query performance without actual table statistics and data
• Recommendations may vary based on database version and configuration
• Complex stored procedures with dynamic SQL may not be fully analyzed
• Platform specific features may not transfer between different database engines