Patrik Löwendahl's shout!
All that is required for the triumpf of evil, is for good people to remain silent and do nothing - Sir Edmund Burke
 
 
Home
  Latest posts
  My Writings
  My Code
  My Gallery
  About me
 
  rssfeed Syndication
 
Bloggtoppen.se
 
 
Links
  Cornerstone
  SweNug
 
Post categories
  misc (48)
  Architecture (21)
  C# (19)
  Asp.Net (2)
  Vb.Net (2)
  Training (7)
  Data (19)
  Events (40)
  Platform (2)
  Orcas (4)
  Updates (3)
  Methods (10)
  Tools (6)
  Announcements (14)
  Languages (1)
  Patterns (6)
  Opinions (11)
  Fun (3)
  Ineta (1)
  Opinion (0)
  Practices (2)
  WCF (5)
 
 
 

Why I avoid Sprocs

 Tuesday, June 19, 2007

My latest addition to the blogging world was received with mixed feelings. The general idea of that post and the code that came along with it was to make it easier to work with "ad-hoc" queries in your code. The discussion in the comments was not so much about my proposed solution for handling ad-hoc queries as it was about sprocs vs ad-hoc. This is a really old debate, kind of the "el classico" of data access but I would like to elaborate on some of the comments and explain what motivates me to avoid sprocs as long as possible.

Read more here https://lowendahl.net/showShout.aspx?id=140

In some of the comments, sprocs are looked at as a single point of integration. The scenario is that multiple applications should access the same data and do so through the same sprocs. The argument is that this will enable re-use and add the ability to make changes that affect all applications that uses the sproc.

"Bob" comments that:

"an added benefit of SPs is that they provide a centralized, unified view to the data. When business rules change, they only have to change in one place -- the SP"

I can understand that in legacy systems, heck I'm even a father to a couple of those, sprocs was the single point of integration and really the only way to share rules and data access cross-platform and cross-applications. But it was a long time ago that we really could count those solutions as any kind of best practice. In 2007 reuse of rules and processes is best enabled by a SOA.

There is also other things with having rules and process expressed inside sprocs that bothers me. First of all SQL is really not a language that excels in describing and enforcing business rules. It was created to be effective for CRUD, SET based operations, and not to capture business intent. Languages like C#, Java and Ruby are much better at that.

Secondly testability goes out the window the moment I start to write my complex price calculations in SQL, there is just not enough support to do isolated unit testing on single sprocs without directly hitting "integration testing". Whereas application languages and frameworks have extensive support.

Tests are a key component in successfully changing any business rules that are already in production. Without them, you will just not know what you broke until it is to late, with hours of debugging, fixing and work around as a result.

These two areas are enough to make me keep any kind of business knowledge in SQL but there is a lot of others that count to, such as:

* The implicit constraint on scalability that Evan Hoff wrote a nice summary about over here: http://www.evanhoff.com/archive/2007/06/05/19.aspx .

* The inability to create flexible queries with where clauses, order by, group by etc that are based on decisions made by the application.

* The static way which they are pre-compiled, which lures people into "performance" traps only solved with the "with recompile" (for sql server) flag on a sproc call, effectively re-rendering the query plan anyway.

* The fact that SQL is just plain ugly and hard to maintain when you get to a certain number of LOC.

* As Mats pointed out in the comments here of the previous post: Try to version sprocs and the dependency between them, you will certainly die of old age before you figure it out.

These are the reasons why I stay away from sprocs.

There are reasons when I might want them, like for granular security (as OJ mentions).

Or.. ehm.. Problem is, I don't (like Phil also commented in the post) like to handle my users / groups in the database. I want every application / service to have it's account and throttle all queries through there. That gives me the same security context, which effectively allows me to use the built in Connection Pooling. Additionally I get the benefit of administrating access for applications and don't have to worry about 100's of roles or 1000's of users.

So no, there is probably nothing that would make me use sprocs (well a gun to my head or a million dollars aside)

kick it on DotNetKicks.com
 
Comments
6/20/2007 12:56:00 AM   http://www.hedgate.net/   -   Chris Hedgate
 
I agree completely with you Patrik. However, I think I big problem for us in this discussion is that in many cases we are arguing using arguments that "the other side" are not interested in. I am not saying they are right in not having interest in them. Of course they should be interested in having expressive and tested code, it's code just as any other code! It's just that these are not things they worry about ("I can read SQL perfect, why shouldn't anyone else be able to?") enough for those arguments to bite. I think we first need to argue the importance of these things in any piece of code, along with the fact that all code is code, to drive these arguments home.
 
6/20/2007 6:13:00 AM     -   Mike
 
"First of all SQL is really not a language that excels in describing and enforcing business rules. It was created to be effective for CRUD, SET based operations, and not to capture business intent. Languages like C#, Java and Ruby are much better at that."

Preface: I love C#, and use it everyday for LOB applications. I also enjoy SQL, and greatly appreciate the power that set-based languages can supply.

What makes C# any more (or less) able to handle business logic than SQL (aside from readability as you point out, but I've never noticed this)??? I'll admit, that some problems are easier to solve in C#, but at the same time, some problems are much easier to solve in a language with some set-based power (such as SQL).

Also, regarding the comment about "In 2007 reuse of rules and processes is best enabled by a SOA." - while true, SOA doesn't tell you where to put logic, or how to write it (does it?). Consider a web service front-end that maps business actions 1:1 to stored procedures in an Oracle DB (for example). This web-service is exposed to 15 customers who call if from a variety of platforms. Do these consumers really care what's going on in the black box and how the calls are being handled? Probably not...I wouldn't.

Finally, as for the versioning concerns, Subversion has never done me wrong in keeping track of my source files for sprocs.
 
6/20/2007 6:55:00 AM   http://rant.blackapache.net/   -   OJ
 
Hi again Patrik,

My original comment in the other thread was fairly general, and didn't go into too much detail. I too do not like to manage users at the database level, and I have a single user context which is used when connecting to the database.

My point was that this particular user doesn't have access to the tables directly. That user context which is used by the application only has permissions on the stored procs themselves, which locks the content of the database down somewhat and prevents the site user from being able to mangle data in a non-uniform manner. It'd also aid in reducing the potential damage should a malicious user somehow start meddling with things they shouldn't. A standard SQL syntax injection wouldn't achieve anything in this context.

Cheers :)
OJ
 
6/20/2007 4:57:00 PM   https://lowendahl.net   -   Patrik Löwendahl
 
Mike,

re: Language. Using object oriented techniques I have a much more simple task in expresseing bussiness intent in C# then in SQL. I'll write up a couple of examples this weekend and post them here.

re: reuse of rules and processes. No you are right, the consumer don't care where the logic is. But that was not my point, I apologize if I wasn't clear. That was ment as a comment to all thoose that wants sprocs to be the single point of integration. Meaning that various applications would consume sprocs instead of services. In 2007 that is just plain wrong.

re versoning, keepin track of the changes in the script is not a problem using subversion or any other configuration management tool and that is not the problem outlined in the post. The problem is keeping track of dependecies between sprocs and versioning them in the database. What if I update one sproc but have a dependecy for a couple of others on the previous behavior. How do I track that and how do I make sure that each sproc get's called with the right version?
 
6/20/2007 5:01:00 PM   https://lowendahl.net   -   Patrik Löwendahl
 
OJ,

Well yes that is a scenario. Although I really don't think it's a valid one.

For SQL Injection the application code should not allow that to come down at all.

For select, delete etc. What if some roles in the application should be able to deleta but som others shouldn't? Then you have to start partioning the rights in the database anyway if you don't allow the applications to access.

I feel that theese kind of hard control over security is often enforced by paranoid DBA's rather then real bussiness / application requirements and don't belong in a modern IT environment. (well if you don't have legal obligations to do so offcourse, like for government or cashier systems in Sweden)
 
6/20/2007 5:37:00 PM     -   Mike
 
On a related note, since ORM products and their internal caching is an area I'm unfamiliar with (as I usually write my own)...

How to ORM solutions handling multiple web servers (like a 8 server farm) and cache consistency?? In the article pointed out above [1], the author mentions that the cache should be used for retrieval of inventory data. Fine - but how do you (using and ORM product) sync that across multiple servers so that everyone sees the same answer within a reasonable time frame?? I know how my team usually handles it, and it's a lot of dedicated code - but I'm wondering if any of these 'off the shelf' solutions provide this.

[1]: http://www.evanhoff.com/archive/2007/06/05/19.aspx
 
6/20/2007 11:52:00 PM   http://www,lowendahl.net   -   Patrik Löwendahl
 
Mike,

None of the ORM I know has a distributed cache implemented. Although NHibernate have hooks to change the Caching implementation to something else if you don't want the local caching.
 
6/21/2007 7:55:00 PM     -   Evan
 
,

Memcached is an open-source distributed caching implementation. It works with NHibernate and was originally built to scale with LiveJournal.com..

http://www.danga.com/memcached/
https://sourceforge.net/projects/memcacheddotnet/
http://en.wikipedia.org/wiki/Memcached

A few sites using memcached:
-Slashdot
-Facebook
-LiveJournal
-Wikipedia
-SourceForge

If you prefer to get paid support with your distributed caching, you can look to NCache..which also works off the shelf with NHibernate..

http://www.alachisoft.com/index.html

Comment
Title:
Your name:
Your url:
Text:
Please enter the text from the image: