SQL Querywise Blog
Code Review 7 min readFeb 2025

The SQL Code Review Checklist: 15 Things to Check Before Every Merge

A structured SQL code review process catches performance issues, security vulnerabilities, and naming inconsistencies before they reach production. Here is the exact checklist used in enterprise data teams.

Code Review T-SQL Security Best Practices

Why SQL Code Review Is Often Skipped

SQL is frequently treated as a second-class citizen in code review processes. Pull requests for application code get thorough reviews; SQL migrations and stored procedures are often merged with a cursory glance. The consequences — slow queries in production, SQL injection vulnerabilities, inconsistent naming — are preventable.

The 15-Point Checklist

Performance

1. **No SELECT *** — all columns explicitly listed

2. **SARGable WHERE clauses** — no functions wrapping indexed columns

3. **Appropriate JOIN types** — INNER vs LEFT vs CROSS used correctly

4. **No implicit conversions** — data types match between compared columns

5. **Index coverage** — new queries have supporting indexes or reuse existing ones

Security

6. **No dynamic SQL without parameterisation** — prevents SQL injection

7. **Principle of least privilege** — procedure uses minimum required permissions

8. **No hardcoded credentials or sensitive values** in query text

Correctness

9. **NULL handling** — IS NULL / IS NOT NULL used correctly; COALESCE where appropriate

10. **Aggregation correctness** — GROUP BY includes all non-aggregated columns

11. **Date range boundaries** — inclusive/exclusive boundaries explicitly handled

Maintainability

12. **Consistent naming conventions** — snake_case for columns, PascalCase for stored procedures

13. **No magic numbers** — constants extracted to variables with descriptive names

14. **CTEs preferred over nested subqueries** — for readability beyond 2 levels of nesting

15. **SET NOCOUNT ON** in all stored procedures

Using the Checklist in Practice

The most effective approach is to automate as many checks as possible. SQL Querywise Reviewer runs all 15 checks (plus 38 additional enterprise rules) automatically, returning a structured report with severity levels (Critical / Warning / Info) and specific fix suggestions for each finding.

*SQL Querywise Reviewer performs automated code review against 53 enterprise T-SQL best practices in seconds.*

Try SQL Querywise on your own queries

3 free analyses — DocGen, Advisor, Reviewer, Explainer, Converter, and Analysis. No credit card required.

Try the live demo