DMS integrates SQL review and optimization suggestions into its security rules. In the SQL console or during data changes, this feature reviews your submitted SQL statements for compliance and provides optimization suggestions. It helps you identify and resolve problematic SQL before you commit changes, which prevents potential issues and database exceptions after the statements are executed.
Prerequisites
-
Your system role is DBA or administrator. For more information, see User Management.
-
You have created a security rule. For more information, see Create a security rule.
-
Database type:
-
MySQL: RDS for MySQL, PolarDB for MySQL, MariaDB, PolarDB-X, AnalyticDB for MySQL, or other MySQL sources
-
Oracle
-
PolarDB for PostgreSQL (Oracle Compatible)
-
OceanBase
-
System actions
DMS provides three predefined system actions:
-
must be improved: If you do not improve the statement, the system automatically blocks the process and displays a notification. The initial SQL review rules do not include any rules set to must be improved.
NoteFor a list of checks performed by the SQL review rules, see Check items.
For example, if the
Tables must have a primary keyrule is set tomust be improved, the system will block the execution of an SQL statement that creates a table without a primary key and require the developer to modify the statement to pass validation before execution. -
Potential issue: This indicates an issue with the SQL statement, but it does not block the process.
-
Suggested improvement: An improvement is suggested, but it does not block the process.
Feature support in different control modes
DMS offers three different control modes. For more information, see Control Modes.
|
Feature |
Secure collaboration |
Stable change |
Flexible O&M |
|
Enable or disable rules |
Supported |
Supported |
Supported |
|
Configure actions |
Supported |
Not configurable |
Not configurable |
|
Change rule parameters For some rules, you can specify parameters, such as the maximum number of indexes or columns in a table. |
Supported |
Supported |
Not configurable |
|
Configure remarks Configure the business context for a rule. |
Supported |
Not configurable |
Not configurable |
Procedure
By default, each security rule includes a set of SQL review rules. This example shows you how to customize the configuration by setting the A table must have a primary key rule to must be improved.
Log in to DMS 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
In the Actions column for the target security rule, click Edit.
NoteTo configure settings for the Flexible Management or Stable Change mode, click SQL audit optimization recommendations to the right of the corresponding control mode.
-
In the left-side navigation pane of the Details page, click SQL audit optimization recommendations.
-
For the
A table must have a primary keyrule, click Edit in the Actions column.NoteYou can quickly filter the rules by clicking the
icon next to Tag (the scope where the rule applies, including DDL and DML statements), Action, or Status (enabled or disabled). -
In the Configure Rule Content dialog box, configure the following parameters.
The available values for Action also include potential issue and suggested improvement.
Parameter
Description
Action
Set Action to must be improved.
NoteBy default, no initial rules are set to must be improved.
Remarks
Enter remarks for the rule, such as business context.
-
Click OK.
In subsequent tasks such as data development, data change, and SQL review, DMS checks your SQL statements against the configured security rules.
If a statement violates the
A table must have a primary keyrule, the system automatically blocks the process.
Check items
-
SQL Specification Check includes the following items.
Table schema definition
Check item
Applicable SQL
Rule name and ID
Database attributes
CREATE DATABASERestrict the character set for database creation: CREATE_DATABASE_LIMIT_CHARSET
Table attributes
-
CREATE TABLE -
ALTER TABLE
-
A table must have a primary key: TABLE_MUST_HAVE_PRIMARY_KEY
-
A table must have comments: TABLE_MUST_HAVE_COMMENTS
-
Do not use foreign keys in tables: TABLE_FORBID_USE_FOREIGN_KEY
-
Restrict character case for table names: TABLE_NAME_LIMIT_CHAR_CASE
-
Restrict the storage engine for tables: TABLE_LIMIT_STORE_ENGINE
-
Do not use partitions for tables: TABLE_FORBID_USE_PARTITION
-
A table must contain specific columns: TABLE_MUST_HAVE_SOME_COLUMN
-
A table must use a specific character set: TABLE_MUST_USE_SOME_CHARSET
-
A table must use a specific collation: TABLE_MUST_USE_SOME_COLLATION
-
Table names cannot be keywords: TABLE_NAME_FORBID_KEYWORD
-
Limit the number of indexes in a table: TABLE_LIMIT_INDEX_COUNT
-
Limit the number of columns in a table: TABLE_LIMIT_COLUMN_COUNT
-
Limit the initial auto-increment value for a table: TABLE_LIMIT_INIT_AUTO_INCREMENT
-
The primary key column must be auto-incrementing: LIMIT_PRIMARY_COLUMN_AUTO_INCREMENT
-
Do not use views: TABLE_FORBID_USE_VIEW
-
Do not use triggers: TABLE_FORBID_USE_TRIGGER
-
Do not use events: TABLE_FORBID_USE_EVENT
-
Do not use stored procedures: TABLE_FORBID_USE_STORED_PROCEDURE
-
Do not use custom functions: TABLE_FORBID_USE_CUSTOM_FUNCTION
-
Use the
ALTER TABLE CONVERTsyntax to modify the table character set: MODIFY_CHARSET_USE_ALTER_TABLE_CONVERT
Column attributes
-
CREATE TABLE -
ALTER TABLE
-
Column names cannot be keywords: COLUMN_NAME_FORBID_KEYWORD
-
Restrict character case for column names: COLUMN_NAME_LIMIT_CHAR_CASE
-
Do not set a character set for a column: COLUMN_FORBID_SET_CHARSET
-
Do not use certain data types for columns: COLUMN_FORBID_DATA_TYPES
-
Columns must have comments: COLUMN_MUST_HAVE_COMMENTS
-
Limit the length of
chartype columns: COLUMN_LIMIT_CHAR_LENGTH -
Limit the length of
varchartype columns: COLUMN_LIMIT_VARCHAR_LENGTH -
All columns must be set to
NOT NULL: COLUMN_MUST_SET_NOT_NULL -
The name of the auto-incrementing column must be
ID: COLUMN_AUTO_INCREMENT_NAME_ID -
Auto-incrementing columns must be unsigned: COLUMN_AUTO_INCREMENT_UNSIGNED
-
Do not use
floatordoubletypes (usedecimalinstead): COLUMN_FORBID_FLOAT_DOUBLE_TYPE -
Every column must have a default value: EACH_COLUMN_NEED_DEFAULT_VALUE
-
Do not set a collation for a column: COLUMN_FORBID_SET_COLLATE
-
Do not rename columns when using ALTER TABLE: ALTER_TABLE_FORBID_RENAME_COLUMN
-
Do not drop columns when using ALTER TABLE: ALTER_TABLE_FORBID_DROP_COLUMN
-
Do not change data types when using ALTER TABLE: ALTER_TABLE_FORBID_MODIFY_DATA_TYPE
-
New columns added with ALTER TABLE must be nullable: ALTER_TABLE_ADD_COLUMN_NULLABLE
-
When adding a non-nullable column with ALTER TABLE, a default value must be specified: ALTER_ADD_NOT_NULL_COLUMN_NEED_DEFAULT
-
When changing a nullable column to non-nullable, a default value must be specified: COLUMN_NULLABLE_TO_NOT_NEED_DEFAULT
-
Do not use the
enumtype (usetinyintorcharinstead): COLUMN_FORBID_USE_ENUM_TYPE -
Do not use the
ZEROFILLattribute for columns: COLUMN_DATA_TYPE_FORBID_ZEROFILL
Index attributes
-
CREATE TABLE -
ALTER TABLE
-
Each index must be explicitly named: INDEX_MUST_HAVE_CLEARLY_NAME
-
Restrict the naming pattern for
Uniqueindexes: UNIQUE_INDEX_NAME_PATTERN -
Restrict the naming pattern for common indexes: COMMON_INDEX_NAME_PATTERN
-
Limit the number of columns in a single index: INDEX_LIMIT_CONTAINS_COLUMNS
-
Limit the number of columns in a primary key: PRIMARY_LIMIT_CONTAINS_COLUMNS
-
Restrict the data type of primary key columns: PRIMARY_LIMIT_COLUMN_DATA_TYPE
-
Do not drop the primary key when using ALTER TABLE: ALTER_TABLE_FORBID_DROP_PRIMARY
-
Do not drop an index when using ALTER TABLE: ALTER_TABLE_FORBID_DROP_INDEX
Data query
Check item
Applicable SQL
Rule name and ID
SELECT-
SELECT -
INSERT SELECT -
Subqueries (nested in
UPDATEorDELETEstatements)
-
SELECTstatements should specify aWHEREclause: SELECT_SUGGEST_ASSIGN_WHERE -
Do not use
ORDER BY RAND()inSELECTstatements: SELECT_FORBID_USE_ORDER_BY_RAND -
Do not use
GROUP BYon a constant inSELECTstatements: SELECT_FORBID_GROUP_BY_CONST -
Do not use
ORDER BYon a constant inSELECTstatements: SELECT_FORBID_ORDER_BY_CONST -
A
SELECTstatement should not useGROUP BYorORDER BYon different tables: SELECT_FORBID_GROUP_ORDER_BY_DISTINCT_TABLE -
In
SELECTstatements, do not useORDER BYto sort multiple columns in different directions: SELECT_FORBID_ORDER_BY_MULTI_COLUMN_RANK -
SELECTstatement: Do notGROUP BYorORDER BYan expression or a function: SELECT_FORBID_GROUP_ORDER_BY_EXPR_OR_FUNCTION -
Do not use
UNIONinSELECTstatements: SELECT_FORBID_USE_UNION -
Limit the number of tables joined in a
SELECTstatement: SELECT_LIMIT_TABLE_JOIN_COUNT -
The
SELECTstatement limit on theLIMITclauseoffsetsize: SELECT_CONFINE_LIMIT_MAX_OFFSET -
Do not use a
HAVINGclause inSELECTstatements: SELECT_FORBID_USE_HAVING
WHEREclauseStatements that contain a
WHEREclause, such asSELECT,UPDATE,DELETE, andINSERT SELECT.-
Do not apply mathematical or function operations to indexed columns in a
WHEREclause: WHERE_FORBID_INDEX_COLUMN_HAS_MATH -
Do not use a leading wildcard in searches within a
WHEREclause: WHERE_FORBID_BEFORE_WILDCARD_SEARCH -
Check for
LIKEstatements without a wildcard in theWHEREclause: WHERE_CHECK_LIKE_HAS_NOT_WILDCARD -
Do not use negative conditions such as
NOT INorNOT LIKEin aWHEREclause: WHERE_FORBID_USE_REVERSE_SEARCH -
The limit in a
WHEREclause on the number of elements in anINclause: WHERE_LIMIT_IN_ITEM_MAX_COUNT -
Check for implicit type conversions on columns in a
WHEREclause: WHERE_CHECK_COLUMN_IMPLICIT_TYPE_CONVERSION -
Check for filter conditions linked by the
ORoperator in aWHEREclause: WHERE_CHECK_OR_LINK_CONDITION
Data change
Check item
Applicable SQL
Rule name and ID
Insert data
-
INSERT SELECT -
INSERT [IGNORE] -
REPLACE
-
An
INSERTstatement should specify a column list: ASSIGN_INSERT_COLUMN_NAME_LIST -
Do not use duplicate column names in the
INSERTcolumn list: INSERT_COLUMN_NAME_FORBID_DUPLICATE -
Do not insert a
NULLvalue into aNOT NULLcolumn: NOT_NULL_COLUMN_FORBID_INSERT_NULL -
The column list must match the values list in an
INSERTstatement: INSERT_COLUMN_MUST_MATCH_VALUES -
Limit the total number of rows in a single
INSERT VALUESstatement: LIMIT_INSERT_VALUES_TOTAL_ROWS -
Check whether the table or column specified in an
INSERTstatement exists: INSERT_CHECK_TABLE_COLUMN_EXISTS -
Do not use the
SYSDATE()function in insert statements: INSERT_FORBID_USE_SYSDATE_FUNCTION
Update and delete data
-
UPDATE -
DELETE
-
Limit the number of tables joined in
UPDATEorDELETEstatements: UPDELETE_LIMIT_TABLE_JOIN_COUNT -
UPDATEorDELETEstatements should specify aWHEREclause: UPDELETE_ASSIGN_WHERE_CONDITION -
Check whether the
WHEREclause contains a subquery inUPDATEorDELETEstatements: UPDELETE_CHECK_WHERE_EXIST_SUB_QUERY -
Limit the number of affected rows by using
LIMITinUPDATEorDELETEstatements: UPDELETE_CHECK_LIMIT_AFFECTED_ROWS -
Detects whether the multi-table join syntax is complete for
UPDATEorDELETEstatements (for example, ajoinclause is missing anonclause): UPDELETE_CHECK_TABLE_JOIN_LOSS_ON -
Do not include an
ORDER BYclause inUPDATEorDELETEstatements: UPDELETE_FORBID_ORDER_BY -
UPDATEstatement check:SETdelimiter between multiple columns (andis invalid): UPDATE_CHECK_SET_ITEM_DELIMITER -
UPDATEon multiple tables: Checks if columns in theSETclause are specified with a table prefix: UPDATE_MULTI_TABLE_CHECK_SET_COLUMN_PREFIX -
Check whether the tables or columns in an
UPDATEstatement exist: UPDATE_CHECK_TABLE_COLUMN_EXIST -
Check whether an
UPDATEstatement modifies the primary key: UPDATE_CHECK_PRIMARY_KEY_CHANGE -
Check whether an
UPDATEstatement modifies a unique key: UPDATE_CHECK_UNIQUE_KEY_CHANGE -
An
UPDATEstatement should also update the table's "modified time" column: UPDATE_ALSO_TO_UPDATE_MODIFY_TIME_COLUMN -
Do not update the table's "creation time" column in an
UPDATEstatement: UPDATE_FORBID_MODIFY_CREATE_TIME_COLUMN
-
-
SQL Optimization Suggestions include the following check items.
Category
Check item
None
-
Optimize tables where the primary key is of
inttype: OPTIMIZE_PRIMARY_IS_INT_TABLE -
Warn about insufficient remaining space for auto-incrementing primary keys: SNIFFING_AUTO_PRIMARY_REMAIN_SPACE
-
Warn about the risk of
NULLvalues in a unique key (UK): SNIFFING_UNIQUE_EXIST_NULL_RISK -
Warn about and optimize DDL table locks or change failures: ALTER_LOCK_FAIL_SNIFFING_OPTIMIZE
-
Detect SQL injection risks: CHECK_SQL_INJECTION_RISK
-
Detect risks from using forced indexes
(FORCE INDEX): CHECK_SQL_ASSIGN_FORCE_INDEX -
Check the index in the execution plan: SQL_EXPLAIN_INDEX_CHECK
-
DMS index analysis and suggestions: DMS_INDEX_ANALYZE_AND_SUGGEST
-