# 审查AI生成的SQL查询的检查清单

> 针对AI编程代理编写的SQL的人工审查检查清单——正确性、注入、性能和迁移。

**Type:** Checklist  
**Tools:** Cursor, Claude Code, Codex  
**Stack:** PostgreSQL, TypeScript  
**Updated:** 2026-06-08

---

AI编写SQL很快，但并不总是安全。在合并之前，请用此检查清单逐一检查每个AI生成的查询。

## 正确性

```txt
[ ] Joins use the right keys (no accidental cross joins)
[ ] NULL handling is intentional (COALESCE / IS NULL, not = NULL)
[ ] Aggregates have correct GROUP BY columns
[ ] Pagination is stable (ORDER BY a unique column)
```

## 安全性

```txt
[ ] No string-concatenated SQL — parameterised queries only
[ ] User input never reaches identifiers (table/column names)
[ ] Row-level access is enforced (tenant_id / user_id filter present)
```

## 性能

```txt
[ ] Queries hit an index (check EXPLAIN for Seq Scan on large tables)
[ ] No SELECT * in hot paths
[ ] N+1 patterns batched or joined
```

## 迁移

```txt
[ ] Migration is reversible (or explicitly one-way and documented)
[ ] No blocking locks on large tables during deploy
[ ] Defaults/backfills won't rewrite the whole table synchronously
```

## 修复提示

```txt title="Fix Prompt"
Review this SQL against the checklist above. Parameterise any concatenated
input, add the missing tenant filter, and confirm the query uses an index
with EXPLAIN. Return the corrected query only.
```