Reviewer runs a full SQL code audit — security vulnerabilities, naming conventions, style consistency, and best practices — with structured findings ready for your PR comments.
Input: a stored procedure with dynamic SQL. Output: security findings, naming issues, style violations — all with Rule IDs and fixes.
## Code Review Score: 6/10 ## Security Issues ### 🔴 Critical — SQL_INJECTION_RISK (Severity 5) **Finding:** Dynamic SQL built with string concatenation — SQL injection risk. ```sql -- ❌ Vulnerable SET @sql = 'SELECT * FROM users WHERE name = ''' + @name + '''' EXEC(@sql) -- ✅ Safe: use sp_executesql with parameters EXEC sp_executesql N'SELECT * FROM users WHERE name = @name', N'@name NVARCHAR(100)', @name = @name ``` ## Naming Convention Issues ### 🟠 High — NAMING_ALIAS (Severity 2) **Finding:** Column aliases use single letters (a, b, c). Use descriptive names. - `a` → `customer_id` - `b` → `total_revenue` ### 🟡 Medium — NAMING_TABLE_PREFIX (Severity 2) **Finding:** Table alias 'tbl_' prefix is redundant — SQL Server already knows it's a table. ## Style Issues ### 🔵 Info — KEYWORD_CASE (Severity 1) **Finding:** Mixed keyword casing detected. Use consistent UPPERCASE for all SQL keywords. - Line 3: `select` → `SELECT` - Line 7: `from` → `FROM` ## Summary | Category | Issues | |----------|--------| | Security | 1 critical | | Naming | 2 issues | | Style | 1 info | | **Total** | **4 findings** |
Security, style, naming, and best practices — all in one structured report.
Identifies dynamic SQL built with string concatenation — the most common SQL injection vector in enterprise T-SQL codebases.
Checks table names, column aliases, variable names, and object prefixes against configurable naming standards.
Enforces keyword casing, indentation patterns, and formatting rules so your entire codebase reads the same way.
Flags SELECT *, hardcoded values, magic numbers, missing comments on complex logic, and other patterns that make code hard to maintain.
Checks against 53 enterprise T-SQL rules including SET NOCOUNT ON, schema prefixes, transaction handling, and error handling patterns.
Every finding includes a Rule ID, severity level, the problematic code, and the corrected version — structured for commit comments or Jira tickets.
Run Reviewer before merging any SQL change. Get a structured list of issues to address — faster than manual review, more consistent than memory.
Scan stored procedures for SQL injection patterns, hardcoded credentials, and excessive permissions before a security review.
Run Reviewer across your entire stored procedure library to identify naming and style inconsistencies accumulated over years.
Use Reviewer output as structured feedback for junior Data Engineers — specific, actionable, and educational.
Custom rule configuration is on the roadmap. Currently Reviewer uses enterprise T-SQL best practices as the standard.
Reviewer detects the most common T-SQL injection patterns (string concatenation in dynamic SQL, EXEC with user input). It is not a replacement for a full security audit.
Yes. Paste the full CREATE PROCEDURE statement including all parameters and logic. Reviewer analyses the complete object.
Sign in to run Reviewer on your own SQL queries. 3 free uses — no credit card required.
Start free3 free uses after registration. No credit card required.
Start free