SQLens

A comprehensive VS Code extension for analyzing, visualizing, and optimizing SQL queries in PHP code. This extension helps developers identify potential security risks, performance issues, and provides intelligent insights for database queries.

Features

Core Capabilities

SQL Detection: Automatically finds SQL queries in PHP code across multiple frameworks
Security Analysis: Detects potential SQL injection vulnerabilities
Performance Insights: Identifies anti-patterns and performance issues
Query Visualization: Shows execution plans and query analysis
Multi-Framework Support: Works with WordPress, Laravel, PDO, MySQLi, ezSQL and more

Supported Frameworks

ezSQL: $db->get_results(), $db->get_row(), $db->get_var(), $db->get_col(), $db->query(), $db->escape(), etc.
WordPress: $wpdb->get_results(), $wpdb->prepare(), etc.
Laravel: DB::select(), DB::raw(), etc.
PDO: $pdo->query(), $pdo->prepare(), etc.
MySQLi: mysqli_query(), $mysqli->prepare(), etc.

Key Features

Intelligent Code Analysis

Real-time PHP AST parsing to extract SQL queries
Automatic detection of query frameworks and methods
Context-aware analysis with taint tracking

Security Scanning

SQL injection vulnerability detection
Unsafe concatenation warnings
Parameter binding validation
Risk severity classification (High/Medium/Info)

Performance Analysis

SELECT * usage warnings
NULL comparison anti-patterns (= NULL vs IS NULL)
OR explosion detection
Index usage recommendations

Query Visualization

Hover Information: Quick summary with tables, columns, and safety status
CodeLens Integration: Inline Preview/Explain/Copy actions
Side Panel: Complete list of all queries in workspace
Explain Plans: Visual execution plan analysis

Database Integration (Optional)

Safe query preview (SELECT only, limited rows)
EXPLAIN plan execution
Schema discovery and caching
Read-only connection security

Configuration

Basic Settings

{
  "sqlens.enable": true,
  "sqlens.frameworks": [
    "pdo",
    "mysqli",
    "wordpress",
    "ezsql",
    "laravel-db"
  ]
}

Database Connection (Optional)

{
  "sqlens.preview.enabled": false,
  "sqlens.schema.driver": "mysql",
  "sqlens.schema.host": "127.0.0.1",
  "sqlens.schema.port": 3306,
  "sqlens.schema.database": "your_database",
  "sqlens.schema.user": "readonly_user"
}

Security Settings

{
  "sqlens.preview.rowLimit": 5,
  "sqlens.preview.timeoutMs": 2000,
  "sqlens.preview.allowNonSelect": false
}

Security & Privacy

Default Mode: Completely offline static analysis only
Optional Features: Database connections are opt-in only
Safe Execution: Only SELECT queries allowed, with row limits and timeouts
No Data Transmission: All analysis happens locally
Read-Only Access: Database connections use read-only credentials

Usage Examples

ezSQL Development

// ✅ Safe - using escape method
$search_term = $db->escape($_GET['search']);
$results = $db->get_results("SELECT id, name FROM users WHERE name LIKE '%{$search_term}%'");

// ✅ Safe - no user input
$active_users = $db->get_row("SELECT COUNT(*) FROM users WHERE active = 1");

// ⚠️ Warning - potential SQL injection
$risky_query = $db->get_results("SELECT * FROM users WHERE email = '" . $_POST['email'] . "'");

// ⚠️ Warning - SELECT * usage
$all_data = $db->get_results("SELECT * FROM large_table");

// ✅ Best Practice - specific columns with escaping
$safe_search = $db->escape($user_input);
$optimized = $db->get_results("SELECT id, name, email FROM users WHERE status = '{$safe_search}'");

WordPress Development

// ✅ Safe - using prepared statements
$results = $wpdb->get_results($wpdb->prepare(
    "SELECT * FROM posts WHERE post_status = %s",
    $status
));

// ⚠️ Warning - potential SQL injection
$results = $wpdb->get_results(
    "SELECT * FROM posts WHERE post_status = '" . $_GET['status'] . "'"
);

Laravel Development

// ✅ Safe - using parameter binding
$users = DB::select('SELECT * FROM users WHERE active = ?', [1]);

// ⚠️ Warning - SELECT * usage
$users = DB::select('SELECT * FROM users');

PDO Development

// ✅ Safe - prepared statement
$stmt = $pdo->prepare('SELECT name FROM users WHERE id = ?');
$stmt->execute([$id]);

// ❌ Error - direct concatenation
$result = $pdo->query("SELECT * FROM users WHERE name = " . $_POST['name']);

Commands

SQLens: Preview Query - Preview query results (max 5 rows)
SQLens: Explain Query - Show execution plan
SQLens: Copy Query - Copy SQL to clipboard
SQLens: Refresh Queries - Refresh query list

Development

Prerequisites

Node.js 20+
VS Code 1.103+

Building from Source

git clone https://github.com/aliyilmazco/sqlens.git
cd sqlens
npm install
npm run compile

Running Tests

npm run test

Debugging

Open in VS Code
Press F5 to launch Extension Development Host
Open a PHP file to test the extension

Known Issues

Complex Eloquent ORM queries may not be fully analyzed
Taint analysis is basic and may produce false positives/negatives
EXPLAIN plans require database connection configuration

Roadmap

[ ] Enhanced Eloquent ORM support
[ ] PostgreSQL EXPLAIN plan visualization
[ ] Advanced taint analysis with data flow tracking
[ ] Quick fix suggestions (e.g., SELECT * → specific columns)
[ ] CI/CD integration for pull request analysis
[ ] Query performance benchmarking

License

This project is licensed under the MIT License.

Acknowledgments

php-parser for PHP AST parsing
mysql2 for MySQL connectivity
VS Code team for the excellent extension API

SQLens

Ali Yilmaz

SQLens

Features

Core Capabilities

Supported Frameworks

Key Features

Intelligent Code Analysis

Security Scanning

Performance Analysis

Query Visualization

Database Integration (Optional)

Configuration

Basic Settings

Database Connection (Optional)

Security Settings

Security & Privacy

Usage Examples

ezSQL Development

WordPress Development

Laravel Development

PDO Development

Commands

Development

Prerequisites

Building from Source

Running Tests

Debugging

Known Issues

Roadmap

License

Acknowledgments