{
  "id": "review-ai-generated-sql",
  "type": "checklists",
  "category": "checklists",
  "locale": "en",
  "url": "/checklists/review-ai-generated-sql",
  "title": "Checklist for Reviewing AI-Generated SQL Queries",
  "description": "A human review checklist for SQL written by AI coding agents — correctness, injection, performance, and migrations.",
  "tools": [
    "Cursor",
    "Claude Code",
    "Codex"
  ],
  "stack": [
    "PostgreSQL",
    "TypeScript"
  ],
  "tags": [
    "sql",
    "review",
    "security",
    "postgres"
  ],
  "difficulty": null,
  "updated": "2026-06-08",
  "markdown": "AI writes SQL fast, but not always safely. Run every AI-generated query through\nthis before merging.\n\n## Correctness\n\n```txt\n[ ] Joins use the right keys (no accidental cross joins)\n[ ] NULL handling is intentional (COALESCE / IS NULL, not = NULL)\n[ ] Aggregates have correct GROUP BY columns\n[ ] Pagination is stable (ORDER BY a unique column)\n```\n\n## Security\n\n```txt\n[ ] No string-concatenated SQL — parameterised queries only\n[ ] User input never reaches identifiers (table/column names)\n[ ] Row-level access is enforced (tenant_id / user_id filter present)\n```\n\n## Performance\n\n```txt\n[ ] Queries hit an index (check EXPLAIN for Seq Scan on large tables)\n[ ] No SELECT * in hot paths\n[ ] N+1 patterns batched or joined\n```\n\n## Migrations\n\n```txt\n[ ] Migration is reversible (or explicitly one-way and documented)\n[ ] No blocking locks on large tables during deploy\n[ ] Defaults/backfills won't rewrite the whole table synchronously\n```\n\n## Fix Prompt\n\n```txt title=\"Fix Prompt\"\nReview this SQL against the checklist above. Parameterise any concatenated\ninput, add the missing tenant filter, and confirm the query uses an index\nwith EXPLAIN. Return the corrected query only.\n```"
}