No more stored procedures…YAY!
During a recent upgrade to an application Ive been working, all but one of the stored procedures was removed.
What?!?! Indeed, data access can happen without stored procedures, and as referenced in some other weblog posts this may be very advantageous. Go ahead and read this post (stored procedures are bad, m’kay?) now… I’ll wait.
In the case of this particular application, there was always an issue about keeping three different projects in sync (the DAL, the database project, and the installer project).
Any time that I needed to make a change to retrieve additional data from a table in the application’s database, I had to make changes to three projects. First off, I had to update the database project to modify the stored procedure. Once that modification was done, I was able to modify the Data Access Layer to use the new field. Finally, when everything was done, I needed to remember to update the installer project so that the scripts that create and update the database have the correct stored procedures.
Now, as you can see this can cause quite a bit of headache and an update process that can be very prone to error. The way that I found to get around this is to move all but the most complex stored procedures (the ones that were actually performing real work) into the DAL directly.
What this means is that instead of having a stored procedure that does ‘SELECT * FROM Users’, I send that command directly to the SQL database using the SqlCommand object in the .NET framework. The technique is identical to what is used to execute the stored procedures.
One thing that I hear quite a bit is that you open yourself up to Sql injection attacks when using dynamic sql, instead of stored procedures, because you can not use parameters. This is completely wrong. Let me show an small working example:
SqlCommand cmd = new SqlCommand("select * from users where UserName = @UserName"); cmd.Parameters.Add("@UserName", SqlDbType.VarChar).Value = someUserNameVariable;
You see here that you have exactly the same parameter semantics as you do using stored procedures. These semantics allow you to pass values into the parameter object where they will be scrubbed to make sure that no sql injection attacks can take place.
Using dynamic sql in the data access layer, if I want to update the columns that are pulled back, I no longer have to modify a stored procedure in the database project. Also, I dont have to modify the installer project, because all of my sql is right where it belongs… in the data access layer.
You’re not using an O/R Mapper?!?!?!
As my team lead keeps pointing out when I mention this concept:
You must either be using AppRoles for your security, or you must be willing to give away much higher permissions to the tables directly to the users of your application for this technique to work.
Procs as security administration tools to remove the motivation for a middle tier for security chokepoint reasons seem to +1 stored procedures from where I’m sitting.
Delphi has been implmenting DataSets for a while thats the way to go for database providers
