{
  "id": "review-ai-generated-sql",
  "type": "checklists",
  "category": "checklists",
  "locale": "zh",
  "url": "/zh/checklists/review-ai-generated-sql",
  "title": "审查AI生成的SQL查询的检查清单",
  "description": "针对AI编程代理编写的SQL的人工审查检查清单——正确性、注入、性能和迁移。",
  "tools": [
    "Cursor",
    "Claude Code",
    "Codex"
  ],
  "stack": [
    "PostgreSQL",
    "TypeScript"
  ],
  "tags": [
    "sql",
    "review",
    "security",
    "postgres"
  ],
  "difficulty": null,
  "updated": "2026-06-08",
  "markdown": "AI编写SQL很快，但并不总是安全。在合并之前，请用此检查清单逐一检查每个AI生成的查询。\n\n## 正确性\n\n```txt\n[ ] Joins use the right keys (no accidental cross joins)\n[ ] NULL handling is intentional (COALESCE / IS NULL, not = NULL)\n[ ] Aggregates have correct GROUP BY columns\n[ ] Pagination is stable (ORDER BY a unique column)\n```\n\n## 安全性\n\n```txt\n[ ] No string-concatenated SQL — parameterised queries only\n[ ] User input never reaches identifiers (table/column names)\n[ ] Row-level access is enforced (tenant_id / user_id filter present)\n```\n\n## 性能\n\n```txt\n[ ] Queries hit an index (check EXPLAIN for Seq Scan on large tables)\n[ ] No SELECT * in hot paths\n[ ] N+1 patterns batched or joined\n```\n\n## 迁移\n\n```txt\n[ ] Migration is reversible (or explicitly one-way and documented)\n[ ] No blocking locks on large tables during deploy\n[ ] Defaults/backfills won't rewrite the whole table synchronously\n```\n\n## 修复提示\n\n```txt title=\"Fix Prompt\"\nReview this SQL against the checklist above. Parameterise any concatenated\ninput, add the missing tenant filter, and confirm the query uses an index\nwith EXPLAIN. Return the corrected query only.\n```"
}