There are some third-party tools to

There are some third-party tools to help database application
developers produce program code of high quality. Quest
Software's (Now Dell’s) TOAD [24] is a proprietary tool that
offers help at the application programming level for different
DBMS’s (see http://www.orafaq.com/node/846 for a tutorial
explanation for Oracle’s PL/SQL). Primarily, it consists of
software engineering advice of the form "make your variable
names self-describing" and encouragement to reduce code
complexity as is measured by metrics such as McCabe's
cyclomatic complexity (which measures the number of
independent paths through program code -- the fewer the better).
Within TOAD, a special module called CodeXpert offers SQL
performance tuning help. CodeXpert allows the user to invoke a
pre-defined set of rules or to create new ones. The rules pertain to
single SQL statements. An example would be: find all SQL
statements that join more than four tables. A more sophisticated
example is to find queries that have insufficient index support. To
identify the latter, CodeXpert runs the queries through the
Explain Plan facility. CodeXpert then simulates the addition of
possibly useful indexes and reruns Explain Plan. Such tools work
well for single SQL statements. AppSleuth’s methodology
extends the tuning capabilities to the multi-statement level.
Other third-party tools, proprietary or open source, which can do
sophisticated static code analysis include klocwork[31],
fortify[32], coverity[33], Enterprise Architect[34], Findbugs[35],
PMD[36], etc. All these tools can statically analyze code written
in one or more of the languages like C/C++, java, C#, Delphi, VB
etc. NIST annually holds a Static Analysis Tool Exposition
(SATE) [27] to advance research in static analysis tools to find
bugs related to security problems. But these tools or solutions
analyze code structures and dependencies to find security
vulnerabilities and programming bugs like resource leaks,
unreferenced variables etc. and report the defects in details. They
mainly work in the context of a specific programming language,
ignoring database interactions.
Researchers from Microsoft proposed a static analysis
methodology for database application binaries in a general sense
[28]. Their method enhances traditional optimizing compilers
with knowledge about data access APIs (e.g. ADO.NET) and
database domains. The solution is based on a compiler
framework, adopting data flow and control flow analysis
customized for database access, forming “a layer of static analysis
services for database applications”, on top of which vertical tools
are built with different functionalities such as detecting SQL
injection vulnerabilities, “extracting the SQL workloads from the
binaries”, or identifying potential data integrity violations. The
static analysis framework aims to make the application code more
DBMS-friendly, but treats performance as one feature among
many auxiliaries of collecting workload etc.
[29] proposed a profiling infrastructure that, during application
run time, logs events from different contexts: instrumented
application events, ADO.NET tracing and Microsoft SQL Server
tracing. After correlating and matching traces from the
application context and those from DBMS context, a
summary/detail view is given involving various attributes like
function names, execution time, number of invocations, SQL text,
number of reads/writes, etc. The “global” profiled data view is the
basis for database application developing tasks like detecting
problematic functions which have caused DB server deadlocks, or
suggesting query hints in application code. Profiling is helpful to