How to check all PL/pgSQL functions in my database at once?

Use the SQL queries provided in the README, such as SELECT p.oid, p.proname, plpgsql_check_function(p.oid) FROM pg_proc p JOIN pg_language l ON p.prolang = l.oid WHERE l.lanname = 'plpgsql'; for mass checking. This allows batch validation of your entire codebase efficiently.

plpgsql_check vs pgTAP for testing stored procedures?

plpgsql_check focuses on static analysis to catch errors and performance issues before runtime, while pgTAP is for unit testing and validating functional behavior. They are complementary; use plpgsql_check for code quality and pgTAP for output verification.

Can plpgsql_check detect SQL injection in dynamic EXECUTE statements?

Yes, but with caveats. It attempts to identify vulnerabilities, but the README explicitly warns it cannot catch all issues and may raise false alarms, especially with sanitized variables or composite types. It should not be the sole security measure.

How to disable warnings for a specific function or code block?

Use pragma directives like PERFORM plpgsql_check_pragma('disable:check'); within the function, or set function-level options via ALTER FUNCTION ... SET plpgsql.enable_check TO false;. This allows fine-grained control over which checks are applied.

Does plpgsql_check work with PostgreSQL 13 or older?

No, the README states support for PostgreSQL 14 to 18 only. Older versions are not compatible, which can be a barrier for legacy systems or teams unable to upgrade quickly.

How to use the profiler to identify slow PL/pgSQL code?

Enable the profiler by setting plpgsql_check.profiler to on or calling plpgsql_check_profiler(true), execute your functions, then query plpgsql_profiler_function_tb to see average execution times per line, helping pinpoint performance bottlenecks.

What are pragmas and how do I use them in plpgsql_check?

Pragmas are directives that configure plpgsql_check's behavior within a function. Use the plpgsql_check_pragma function or shorthand syntax like PERFORM 'PRAGMA:TYPE:r (a int, b int)'; to set variable types or enable/disable specific checks for dynamic code sections.

plpgsql_check — PostgreSQL PL/pgSQL Linter

What is plpgsql_check?

plpgsql_check is a PostgreSQL extension that performs static code analysis on PL/pgSQL stored procedures and functions. It identifies semantic errors, performance issues, security vulnerabilities, and code quality problems before runtime execution. The tool leverages PostgreSQL's internal parser to ensure findings match what would actually occur during function execution.

Target Audience

PostgreSQL database developers and administrators who write and maintain PL/pgSQL stored procedures, particularly those working on large codebases where manual code review is insufficient.

Value Proposition

Unlike basic syntax checking, plpgsql_check performs deep semantic analysis using PostgreSQL's own evaluation engine, catching errors that CREATE FUNCTION commands miss. It provides configurable warning levels, pragma directives for fine-grained control, and supports both active checking via function calls and passive checking during development.

plpgsql_check is a linter tool (does source code static analyze) for the PostgreSQL language plpgsql (the native language for PostgreSQL store procedures).

Use Cases

Best For

Identifying semantic errors in PL/pgSQL functions before deployment
Finding performance issues like implicit casts that prevent index usage
Detecting SQL injection vulnerabilities in dynamic EXECUTE statements
Maintaining large PL/pgSQL codebases with consistent quality standards
Checking trigger functions with proper relation context
Analyzing function dependencies and impact of schema changes

Not Ideal For

Projects heavily relying on dynamic SQL or refcursors, as static analysis cannot verify runtime-assembled queries
Environments where shared memory cannot be allocated (e.g., restricted cloud databases), limiting profiler functionality
Teams needing zero-configuration, out-of-the-box linting without modifying PostgreSQL settings or using pragmas
Applications that create and use temporary tables within PL/pgSQL function execution, which plpgsql_check cannot statically validate

Pros & Cons

Pros

Semantic SQL Validation

Leverages PostgreSQL's internal parser to check SQL statements for column existence, type correctness, and relation references, ensuring errors found would actually occur at runtime.

Performance Issue Detection

Flags unwanted implicit casts that could prevent index usage and impact query performance, helping optimize code before deployment.

Security Vulnerability Scanning

Attempts to identify SQL injection vulnerabilities in EXECUTE statements, though the README cautions it cannot catch all issues and is not a security audit substitute.

Flexible Configuration Options

Allows granular control via function parameters (e.g., fatal_errors, performance_warnings) and pragma directives to tailor checks for specific code sections.

Integrated Profiling and Tracing

Includes built-in profiler for execution time analysis and tracer for debugging, reducing reliance on external tools for performance tuning.

Cons

Dynamic Code Blind Spots

Cannot analyze queries assembled at runtime or refcursors, leading to false positives or missed errors, requiring workarounds like pragmas or disabling checks.

Complex Trigger Setup

Checking trigger functions requires manually specifying relation IDs and transition tables, adding overhead and potential for mistakes in multi-trigger environments.

Shared Memory Dependency

Profiler requires shared memory allocation via shared_preload_libraries, which may not be feasible in all deployments, limiting profiling to session scope when unavailable.

No In-Place Updates

The extension does not support updates; it must be dropped and reinstalled for new versions, causing downtime and complicating version management in production.

Frequently Asked Questions

What is plpgsql_check?

Target Audience

PostgreSQL database developers and administrators who write and maintain PL/pgSQL stored procedures, particularly those working on large codebases where manual code review is insufficient.

Value Proposition

Use Cases

Best For

Identifying semantic errors in PL/pgSQL functions before deployment
Finding performance issues like implicit casts that prevent index usage
Detecting SQL injection vulnerabilities in dynamic EXECUTE statements
Maintaining large PL/pgSQL codebases with consistent quality standards
Checking trigger functions with proper relation context
Analyzing function dependencies and impact of schema changes

Not Ideal For

Projects heavily relying on dynamic SQL or refcursors, as static analysis cannot verify runtime-assembled queries
Environments where shared memory cannot be allocated (e.g., restricted cloud databases), limiting profiler functionality
Teams needing zero-configuration, out-of-the-box linting without modifying PostgreSQL settings or using pragmas
Applications that create and use temporary tables within PL/pgSQL function execution, which plpgsql_check cannot statically validate

Pros & Cons

Pros

Semantic SQL Validation

Leverages PostgreSQL's internal parser to check SQL statements for column existence, type correctness, and relation references, ensuring errors found would actually occur at runtime.

Performance Issue Detection

Flags unwanted implicit casts that could prevent index usage and impact query performance, helping optimize code before deployment.

Security Vulnerability Scanning

Attempts to identify SQL injection vulnerabilities in EXECUTE statements, though the README cautions it cannot catch all issues and is not a security audit substitute.

Flexible Configuration Options

Allows granular control via function parameters (e.g., fatal_errors, performance_warnings) and pragma directives to tailor checks for specific code sections.

Integrated Profiling and Tracing

Includes built-in profiler for execution time analysis and tracer for debugging, reducing reliance on external tools for performance tuning.

Cons

Dynamic Code Blind Spots

Cannot analyze queries assembled at runtime or refcursors, leading to false positives or missed errors, requiring workarounds like pragmas or disabling checks.

Complex Trigger Setup

Checking trigger functions requires manually specifying relation IDs and transition tables, adding overhead and potential for mistakes in multi-trigger environments.

Shared Memory Dependency

Profiler requires shared memory allocation via shared_preload_libraries, which may not be feasible in all deployments, limiting profiling to session scope when unavailable.

No In-Place Updates

The extension does not support updates; it must be dropped and reinstalled for new versions, causing downtime and complicating version management in production.

Frequently Asked Questions

plpgsql_check

What is plpgsql_check?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?

plpgsql_check

What is plpgsql_check?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?