Slashdot Mirror
Stored Procedures - Good or Bad?
superid asks: "I'd like to get opinions and real world experiences that people have had with database centric applications that rely extensively on stored procedures. I believe that most enterprise class databases such as Oracle, MS-SQL, PostgreSQL, DB2 and others implement stored procedures. MySQL has been criticized for not supporting stored procedures and will be adding them in MySQL 5. The ANSI-92 SQL Standard also requires implementing some form of stored procedure (section 4.17). So, I'm asking Slashdot readers: if you were architecting a highly data-centric web based application today from a clean slate, how much (if at all) would/should stored procedures factor into your design? Where are they indispensable and where do they get in the way?"
"The arguments for stored procedures are pretty straightforward: 1) Centralized code; 2) Compiled SQL is faster; 3) Enhanced security (as our application is over 15 years old, and consists of much legacy code, reimplementation and feature creep that now includes over 3000 stored procedures). At one time we had a client/server architecture so those three advantages were relevant. However, in the past 4 years we have moved everything to web front ends and I have argued that this is no longer true. Does it really matter if my business rules are centralized in stored procedures or in a set of php/asp scripts (ie, in the web tier)? Is it really important to shave compilation time when connection and execution times dominate? (and overall response is ok anyway?) Since the focal point is the webserver, shouldn't security be done there, rather than the DB?
In addition, you either have to have a dedicated T-SQL or PL/SQL coder who then is the weak link in your coding chain, or your pool of developers must become fluent in both your scripting language of choice as well as the SP language. I have experienced both of these approaches and found this to cause bottlenecks when 'the database guy' is unavailable and learning curve problems (bugs) with new coders getting familiar with the db language.
Finally, after staying with our DB engine choice for all these years we are acknowledging that they may not be around forever. Management has asked us to look into migrating our data and business logic to another DB choice. We'd sure love to just be able to point the web tier at a new data source but that is unattainable due to a convoluted tangle of db specific code."
In addition, you either have to have a dedicated T-SQL or PL/SQL coder who then is the weak link in your coding chain, or your pool of developers must become fluent in both your scripting language of choice as well as the SP language. I have experienced both of these approaches and found this to cause bottlenecks when 'the database guy' is unavailable and learning curve problems (bugs) with new coders getting familiar with the db language.
Finally, after staying with our DB engine choice for all these years we are acknowledging that they may not be around forever. Management has asked us to look into migrating our data and business logic to another DB choice. We'd sure love to just be able to point the web tier at a new data source but that is unattainable due to a convoluted tangle of db specific code."
I like to keep business logic in one place as much as possible. You are almost assured to have some in your app, so I try to keep all logic there.
Stored Procs and triggers make can make the code simpler and more efficient, but spread out the workings of the application and unless properly documented, more difficult to understand.
Just my $0.02 CDN
Bad, of course.
I only put triggers or constraints or whatever in the database for one reason: to make sure only valid data enters the database.
For instance if ColumnA must be between 5 and ColumnB+34, that should go in the database. The database itself should guarantee the data is clean. "Data logic" you could call it.
Business logic and everything else should go in the higher layers. There is some ambiguity about what is "data logic" and what is "Business logic" but it's usually pretty clear.
Why? Maintanence. The stored procedures tend to rust in place over time. If you're an "agile" developer you'll go nuts not being able to refactor business logic or have unit tests check your database procedures. If you're a "BDUF" (big design up front) shop, you might like it, but thankfully many are moving away from that.
There are no real negatives to stored procedures from a development standpoint. Databases that support them, assuming cost is not an issue, will always be prefered over those that do not. Why is this question even being asked on an open forum such as this?
Monitor bandwidth usage on IIS6 in real-time: http://www.waetech.com/services/iisbm/
Particularly for an application where you are returning large amounts of data, stored procedures hold a distinct advantage over dynamic SQL queries in that, if the SP is designed correctly, the database has pre-optimized the query plan at compile-time and runtime execution is therefore much faster. It also allows for underlying table structures to change without impacting your application logic.
Also, when it comes to long-term database maintainability, putting your database logic in stored procedures allows the db admins to get an accurate overview of what objects/tables are in use and which are no longer needed. At my company, where we have over 20 databases, this is an absolute must.
Generally speaking, I use dynamic SQL during initial development and move to stored procs for QA and production.
I actually miss them in my current job with mySQL. I used to like the way you could run a stored proc every X period to copy "live" data to "public" areas. Or, archive "public" data after "x" period of time. But then again, I am a micro$oft developer at heart, and all this Perl, CGI, Java, (even COBOL) on old RS6000 systems gives me a headache sometimes.
why are you posting if you don't have an answer?
you are only giving me a headache.
Data controlled by the DBA good. Data controlled by developers or users... bad, very, very bad.
personally I like them. The centralization of code is a big advantage, but I think the biggest advantage is typing the incoming data. This plugs some of the security holes.
SELECT * FROM users WHERE CLUE = TRUE
0 Rows Returned
or if there are rows, fix it quick!
DELETE
FROM users
WHERE CLUE=TRUE
One of my favorite thing about postgres is it's support of plpythonu (python stored procedures) and the recently added java support.
Just define the function (in java or python) and SELECT it with whatever arguments you've designed it for. I don't know what the overhead involved is, but we used it more for convenience than anything else.
I was told basically, "the fewer the better" and "keep them confined to the innermost loops."
If I were a bit more of a tinfoil hat wearing man, I'd be Slashdot makes some of these "Ask Slashdot" topics up because the ensuing flamewar will cause more page hits than usual.
I know this is OT, but there is nowhere else to post this - I thought I was the only one seeing them. Is it the viruses running rampant, or did something break after their last time they tweaked slashcode?
My rights don't need management.
A bit trollish, but I'll respond: perhaps he's actually smart enough to seek outside opinions, even though he thinks he knows the answer.
That, or he's preparing some kind of presentation/paper to justify the use of stored procs to a boss who doesn't believe in them (or vice versa), and is seeking real-world examples to bolster his point.
Just a couple of possibilities.
What about version management of stored procedures? Yes I know it's possible, but it creates pain. Everyone must have their own copy of the DB otherwise an error by one developer modifying a SP breaks it for everyone, even if they have their own copy of the app. Scripts must be written to ensure that the latest SPs can be applied at the same time as code updates.
I don't like using SPs, but I think version management for me is the nail in the coffin.
Mark
Finally, after staying with our DB engine choice for all these years we are acknowledging that they may not be around forever.
I've never taken this argument seriously. If you put all your business logic into a web front-end, then you're locked into that web front-end. If you put all your business logic into the database, you are locked into that database. Sure, both are pains, but you can't consider it a downside for the database without also considering as an upside for the database.
The idea of a database is to put the whole data-relation logic in the database, if only to insure atomicity of operations.
Because as soon as you rely on an external process to maintain data integrity, you're bound to fall prey to some sloppy programmer who does not understand the data relationships and will not properly maintain the data integrity.
At least, when you use stored procedures, you can concentrate the data integrity logic in only one place, which is easier to control and manage.
Just think about this. You move from client server to web front end was made easier because your business rules were stored procedures. They were not dependant on the end application.
Most of the development I do at my job is Coldfusion+Fusebox with SQL Server on the backend (I don't care if you hate MS, don't bother knocking SQL Server) and stored procedures just make life easier. They're also handy in the instance that you may have multiple front-ends written in multiple languages accessing the same database in many cases. Making a change to the way data is returned is far easier to do in one stored procedure than in X number of front-ends. One of the main reasons we don't use mysql is because the stable versions don't have them.
If the applications are written in one of the various scripting languages, then this argument doesn't apply:
One major problem with enterprise applications is that when a problem is found in an adhoc query (poorly written, a bug with the DBMS, performance related, etc) then the application would normally have to be recompiled and pushed out to the entire enterprise (could be tens of thousands of computers to push to). This isn't desirable.
Moving the queries into stored procedures (where possible) allows you to correct the stored procedure at a central location and roll it back to the 'old' stored procedure if necessary with minimal effort.
A good rule of thumb: use stored procedures for compiled applications
Jason L. Froebe
No one has seen what you have seen, and until that happens, we're all going to think that you're nuts. - Jack O'Neil
The good side about them is you can put them in one place, centrally, and basically forget about them.
This means several teams can develop apps against the same database (often using completely different languages, and with completely different goals). The business logic isn't hidden in some obscure class that might be in a language you aren't fluent in.
The bad is that they tend to make the individual apps difficult to debug. sp's often throw errors that are non-obvious, and if they are buggy, will do very strange things to your data. Often, hours of debugging latter, you realize it had nothing to do with your code, but was a bug or bizarre error condition in the sp or trigger.
Lately, the databases are allowing sps triggers to be created in more modern languages. Postgres IMHO kicks normalizes everyone elses ass with it's ability to use python, perl, php and ruby (among others) to create your sp's. Then at least, it is code that is a big more understandable.
I am in the "always" stored procedure camp. They allow me to centralize a great deal of business logic close to the data source.
They provide a great deal of security if used properly. Not only do I not have to allow my users to have ANY direct access to tables, but I ahve the ability to change underlying structure more easily.
It is wonderful to make the boss' suggested change to his favorite application without having him even close out of it.
The downside is that you have an additional layer of code to manage. However, I have done a lot of code automation, and 90% of my sp's can be written with a few clicks of the mouse...
There are times when there are compelling reasons to use stored procedures. Unless you have one of those situations, there are lots of good reasons to avoid them. In addition to the portability and skills issues, I'd like to add that PLSQL and TSQL are both pretty crude languages. Stored procedures also make it hard to partition your application across servers. I'm in the 'avoid them if you can' camp.
Stored procedures should ONLY be used for sensative data such as in a bank environment, where information should not be passed to the database (such as usernames/passwords/account info etc) but rather the database server should run it. Otherwise the proccessing should be done on the app side!
There is NO REASON for the database server to be doing proccesing.. it's a database server!!
If you have views set up to restrict which rows a user can select, but you don't want to restrict user creation (with a certain group, and with pre-defined rights) so that your webserver doesn't need administrative rights, a stored procedure fits the bill.
(PL/PGSQL example)
I have heard this nonsense spouted more times than I care to remember. "Keep the code IN the database" the enthusiasts would cry. What you end up with is code spread all over the place. Some of your business logic now resides in source files written in your app. language, and some of it resides in the database in SP language. You can no longer look in one place to see what the program is doing. You have to read two sets of source code side by side. Throw triggers into the mix so that your SP's are silently called as a side effect of other statements and you have a maintenance nightmare. And what happens you need to roll out an upgraded version of one of your programs? You can't just transfer the binary there any more. Now suddenly every new release becomes a database upgrade, requiring scripts to be run to modify the database etc.
not sure about IIS, but slashdot has been running a lot slower than normal for me too. Again sorry for the off topic post.
I almost always use a middle layered server that buffers calls between applications and the database. It's job is really to coordinate transactions, users and to perform tasks that go faster natively than through a database. A middle tier invariably makes it FAR simpler switching from one database engine to another than trying to port stored procedures.
I've just spent the last 10 minutes trying to get through and this is the first time i've succeeded. It's been going on for about a fortnight now at least. I'm getting maybe a 50% success rate on average....
Then you are a moron.
At my work we write apps that are only used inhouse and app that are used by 1000+ users. Our applications are mostly data entry apps with a decent amount of reporting. We only use stored procedures in the software that we sell to our users because it makes it easier to implement any updates/fixes in code than it's in a stored procedure and just send them a program(executable) update. For inhouse we prefer stored procedures because maintenance/updatability is not a problem.
I think if you are looking at large databases where stored procedures may make a huge difference weigh your options between speed and ease of sending updates to the users.
Just my 0.02 cents.
Stored Procedures are hidden logic, and they're difficult to write, debug and maintain. In some databases, they are nearly impossible to debug without the equivilent of printf statements.
You also place more burden on the database, and lose the ability to scale horizontally. It's easier to add more web/app servers to you site than it is to add more databases.
Not sure I agree with the point about them being tied to a specific database; I don't think it's practical to write vendor-neutral SQL, so you will always have functions like TO_DATE vs DATE_FORMAT to worry about.
Use foriegn keys, check constraints and strongly typed columns to preserve your data. Keep the application logic outside your database.
If it can magically make 503 errors go away - yes if it does anything else - no
If you have to ask, you'll never know.
Having the queries in one place is also generally an advantage, and if the vast majority (or entirety) of your queries are in those stored procedures then migrating from one DB to another means NO messing with DB specific code (and every query ends up being DB specific if it does much of anything at all) except for the query developers.
The shop I work in has two main applications which access the same database. One is a web environment written entirely in Perl where all of the DB logic has been pushed into stored procedures, and then further abstracted into modules. Now migrating from one DB engine to another simply means rewriting the stored procedures from PL/SQL to TransactSQL (for example), and some minor modifications to the underlying modules. Then if we want to change the business rules for that data we can change the modules with only minor changes to the app logic.
Contrast this with a mega app written in C which has tons of queries directly in it, a minimum of stored procedures, and a constant stream of bugs because of the morass this has created. The app moves slowly, ponderously, and half the time wrongly.
Anytime I'd be called upon to architect something, I'd be pushing stored procs as much as possible. They're a logical extension of good, modular design.
I started with Oracle Programming, then moved to Objectivity for Pure OO DBs, and now I am using mySQL. Stored procedures are very useful, if your application runs in a console mode, from the server that is hosting the DB. But in real-life this is not usually the case. Most applications are web based, in which case the web server is the middle tier. The latency added by the middle tier and the whole HTML/XML is so much that using stored procedure vs C++ doesn't help too much. Nowadays I use Java/PHP code to process the data, instead of PL/SQL, since it is the middle tier that is the bottleneck, and not the fact that I m processing data on the middle tier instead of on the DB server.
With all advances in the client (browser) technology I am even doing some processing (mostly for presentation) on the client using applets, and XML/CSS.
Consensus is good, but informed dictatorship is better
Fairly simple for someone like me. Over time peoples jobs change, and in a small shop you might have to take up tasks that you previously would not have done. The logical thing to do is try and learn from other peoples experience since you aren't likely to have much in the specific topic. Slashdot probably isn't the best place to go, but you have to give him credit for seeing a hole in his knowledge and trying to compensate rather than just blindly proceeding forward.
Stored procedures can be used to isolate field names from the application that calls them. This encapsulation allows you to change data column names without regard for the application that is calling them. The calling application uses the stored procedure to retrieve and store data, and the stored procedure knows how to translate the data column names.
They also allow you to put business rules and other data centric items at the database where they operate.
For example, let's say you have a trigger on a data row that causes a formula to run. Wouldn't it be best to keep that formula with the data it operates on so that it can run rapidly without the need for data to go over the wire several times?
Stored procedures are also a great place to store a complex set of queries so that the presentation to the outside world is more directly understandable. You might have data that is difficult to represent certain views, but a stored procedure can bridge that gap without adding complexity to the calling program.
All of this is more important when you are talking about a web application where there is not a lot of processing power, state is difficult to maintain and lag times can stretch processing times if the data travels around too much.
Stored procedures can solve all of these problems (and many more) neatly and at the server.
We should start referring to processes which run in the background by their correct technical name... paenguins.
The main reason I've found not to use stored procedures is in cases (like complex searches) where a dynamically generated SELECT statement will beat any sort of attempt at a generic stored procedure search hands down.
Some time ago, I did some work on a middle tier for some PHBs who got infected with the "stored procedures == faster" meme in a big way. The big sticking point with this was the complex searches they wanted to support, which could be done very quickly and relatively simply with a dynamic SELECT, but became very slow, complex (and thus bug prone) when we attempted a stored procedure implementation. I'm not sure we (the development team) ever really convinced them doing it dynmaically was the right way to go; we just wore them down to the point where they finally dropped the issue.
(PS, to any PHBs who think I might be talking about you: if you keep quite, no one will ever know)
150 Opening BINARY mode data connection for slashdot.sig (129323052 bytes).
i think sp as way to better define "what" (data) to get is good, but not for actual processing - it seems to amount to optimization hack (and that is when using query optimizier well).
oh, the trigger is the absolutely worst. you thought you were updating a single column, and then whole table get dropped. no one needs that sorta aggravation.
1) I'd use both and I wouldn't use security as an argument to use stored procedures. Mere "mortals" should not have access to the database server at all. Just beware of SQL injection attacks (Google it if you don't know what that is).
2) Stored procedures aren't always the fastest because you can't do array inserts with stored procedures, for instance.
3) Queries are cached. So the second time a query is executed it won't be compiled. Just make sure that your queries are parameterized. Don't put your values in the query with string concatenation. Use parameters. Otherwise queries can't be cached. You will also be vulnerable to SQL injection attacks.
4) Use stored procedures when you will gain a clear performance advantage. You may want to try to implement it in your data tier first, and if that isn't fast enough, move it to a stored procedure.
5) Buy or make a code generator that will generate data tier code for you (and possibly other code).
6) As for database compatibility, if you implement it as stored procedures, you are screwed for sure. If you use normal SQL you are probably screwed anyway. Check out this chart this chart for compatibility. And that only points out the parts of these databases that follow the standard. They do have plenty of non standard features as well. If you want to try your queries for standards compliance you can go here.
I have plenty more where that came from, but the wife needs the computer. Good luck though.
The Internet is full. Go Away!!!
There are many promising things about stored procedures, but they are negated by the very thing that should make SQL work strong in many situations.
Supposedly, storing all business logic in the database gives you speed and the ability to change the language used for rendering and UI fairly quickly if need be. In that sense they become similar to the CLR... I can write a PyGTK+ app quickly for a little desktop gui functionality, and use the same validation/business subroutines that the main PHP interface uses. This is certainly sounding like a plus, yes?
However, once you start coding in stored procedures, you're just as married to the database as you would be to any other language. The problem is that while there is generally excellent acceptance of SQL 92 standards, and some decent acceptance of SQL 99 standards, afaik stored procedural languages are not nearly as standarized. Hell, PostgreSQL has like 5! So instead of being married to, say, asp, you're now married to a database, which in most cases is commercial.
Also, I think the point about new coders being unfamiliar with the programming language is slightly invalid... PostgreSQL and Oracle at least have Java (or Java-esque) PL's built in. Pretty familiar for most coders worth their salt.
Stored procedures, imho, are essential for data integrity. It's all fine and dandy when you have just a web app sitting on top of the database, but when multiple applications access the database, sometimes from different sources and programmers, you have to make sure they all follow at least the same base set of rules.
Stored procedures centralize a degree of data validation and integrity. They are also for on-modify creation of data. For instance, one can use stored procedures to make sure some read only table is always up-to-date, by making it so that inserts/updates are mirrored to that table. Some could argue that this can destroy normalization, but in some situations where reply time is critical, normalization can do more harm then good, and sometimes you're better off with more data than with having to join two tables. Stored procedures can be of great value here.
Do web applications need stored procedures? Probably most won't. But then again, "web app" doesn't define an application, it just defines an interface, a media.
Stored procedures are also vital in one of the most important things regarding project development: abstraction. You can customize the database layer to execute code that is implicit to database operations, thus saving time by not having to make them explicit in the application layer AND also saving a roundtrip from the app to the db for each of those explicit calls turned implicit - hope this made sense.
Cheers.
"I don't mind God, it's his fan club I can't stand!" E8
Stored Procedures -or- parameterized queries can prevent SQL injection attacks.
Dynamic SQL is more more prone to logical errors. Dynamic SQL often involves string manipulation, which can be a performance hit (depends upon your implementation--and helper classes can improve or prevent this--but in general appending strings and variables together inside of code is a little nasty).
Also, consider using strongly typed datasets if you can. Strongly typed datasets reveal datatype problems sooner (compile time vs run time). Sooner = easier / cheaper to fix.
Stored Procs = centralization. Centralization is of course both good and bad. The stored procs can, in theory, be used by multiple applications. Of course, with proper OOP this is less of a big bonus, but it does give some flexibility, esp in an environment where you have different application platforms accessing the same DB.
Stored procs make learning easier in a multi-developer environment, esp one with high turnover. Newbie coders can get up to speed in regards to the DB Schema much more quickly if the library of stored procs is well-named and well thought out. You could also translate this to say it makes maintenance easier over the long haul (think of going back and looking at this stuff again 3 years hence with other projects in-between). It depends on how much of your own dogfood you think you'll have to eat.
Gut reaction based on lots of experience doing both stored procs and dynamic SQL: Stored procs are NOT a silver bullet and can be a pain in the neck early on, but they sometimes pay off in the long run. Once you get into a groove with them, I think you will like them.
The bad thing about stored procedures is that they are largely database-specific in syntax. Putting the logic in a middle-tier would allow you to target different databases easier, if your database access framework is more flexible/portable (all of the good ones are).
If your project is small, one programmer, then there is no need to separate duties.
Stored procedures, triggers and check constraints that enforce business rules ensure that bad data won't get into your database from any source. If your business rules are only enforced by your fat-client application, then anybody with an ODBC client can put bad data in your database.
Prepared statements and vendor-neutral SQL are the way to go for portability and controllability of the development process. Use SPs judiciously, if at all, and only when there's a highly compelling need to do so(e.g., order of magnitude speedup, etc).
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
This is extremely powerful, especially if you have a DBA, but even if you don't your developers can much more easily audit who is doing what.
For instance, say someone needs to add a column to table T; how to know whether there's logic somewhere that will get broken? You have to search for the table name T in all your application code. If you use stored procedures exclusively, then you can know unambiguously what the effect of the change will be. You can ask questions like "does anyone actually use column C for anything?", or "if we change the datatype of column C, what code will be affected?"
You don't necessarily need a skilled stored proc coder -- after all, if your developers are writing their own queries anyway, wrapping them in a stored proc is not hard. If you need complex logic in the DB layer, someone's going to have to learn to do so regardless of whether stored procedures are used.
I've worked on two mid sized web/db projects now with a couple of old skool Oracle hackers. They are quite sharp, but not really up on all the hot new O/R mapping technology. Hibernate. Castor. etc.
So I figure I'd teach them a bit about the "right" way of doing this. Use the database to store data. Period. Model business objects as Java classes. Implement business rules in Java, and code the views in terms of those objects.
The thing is, the more we talked about this, the more I came to question the way I had done things in the past. For example, it's not always possible (or at least convenient) to define a single set of business objects. A Widget might look one way from a manufacturing perspective, and another from a sales perspective, to take an absurd example. Often I end up fetching more data that I really need, because the BOs have been defined to be as general as possible. And so on.
My particular case is special, because there will more likely always be people with heavy Oracle expertise to maintain these systems than people with Java experience. So the risk of sticking all the rules into the database, only to end up with a maintenance nightmare after the Oracle guys have left doesn't really exist. But even so, I've come around to thinking quite a bit differently about the role of the database in a multi-tier application.
Just my humble opinion.
In addition, depending on your situation, it shouldn't be too hard for the developers to learn how to write stored procedures for the database. Once you know one language, learning another isn't that hard. The developers might write some inefficient code at first, but they'll get better very quickly. Plus, it will give them a better idea of how the database really works and performs, improving their overall designs.
Of course, IANADBA (I am not a DBA), so take it with a grain of salt.
One of the huge advantages of Stored functions/Procedures is that they make your code a lot cleaner by removing about every logic from the interface. Of course, it makes it easy to have multiple interfaces but most of the time, this probably won't happen.
Of course, for them to be really useful, you need some way to sort and document them because as everything else, you will end up loosing them and forget they exist. I've seen problems like that with undocumented procedures and views. It ends up being a total mess.
I've used Oracle for a while and procedures/functions are quite useful and easy to create once you figured out all the little syntax problems that come with Oracle... (don't they know about make syntax uniform?). I ran a few tests on MySQL 5 alpha, it's quite unstable now but the implentation seem much better to me. I'll have to get the development version from BitKeeper before going any further in the tests because there seem to be a problem with DROP PROCEDURE in the version I have (not blaming, I know the risks of alpha versions).
When it comes to security and data integrity, there is nothing like triggers, but it will have to wait until MySQL 5.1, which is probably over 2 years ahead since MySQL 5 itself probably won't be released before an other 1.5 year.
Qui ne va pas à la chasse n'a pas de gibier
PHP Queb
My own opinion is that a database was originally made to be efficient in STORING/RETRIEVING DATA, not processing it. It feels wrong to depend too much on a database for storing your data AND taking care of all of the application logic. What if you need to move your data to a completely different database? You are either screwed, or looking at spending a nightmare amount of time porting it over. Develop your logic in your frontend application and just use the database for what it was originally meant for: data storage and retrieval. BTW, I manage an online service that processes millions of database records a day and this is how we are setup. We wouldn't want to do it any differently.
If you're writing both tiers then I could understand that. I myself sometimes get tired of looking back and forth between the SP and the program code.
As a dba for 10 years now I can honstly say that you shoudl be using stored procedures but only for CRUD needs. Imbedding any business logic at all in the proc will only lead to trouble, not using them leads to a bunch of trouble if your trying to tune your db or if you need to change a data structure. PLEASE PLEASE PLEASE do not let your DBA be lazy and not write stored procs for you!!!
A year ago, I converted an open source project I write in my spare time from MySQL to PostgreSQL. The primary driving factor in the conversion was to make use of the more robust features of PostgreSQL in order to maintain data integrity.
This involved of course the creation of a schema that made use of referential integrity and stored procedures for certain key operations that would enforce data integrity that the code required but fell outside of relational databases proper.
As I was completing the source code conversion I noticed that a lot of the data checks that had to be done under MySQL 3.x disappeared as PostgreSQL enforced it for me.
The creation of users, and other entities became much simpler as did their removal. Cleaning up the code and making it easier for me to make modifications to the scripts, without having to second guess another script having adverse effects.
The scripts themselves still handle logic, albeit at a higher level. The process of using stored procedures to handle data integrity and enforcing certain rules simply allowed me to concentrate on the bigger picture when dealing with scripts.
Of course, the trade off was in speed. MySQL to this day, still seemed to be capable of handling more loads since the site is dominant on SELECT statements. However that is more of an issue between PostgreSQL and MySQL proper.
First of all, your question sounds a lot like "What's your favorite color?"
Secondly, where do you want to put your cycles at? For larger applications, that's an important question.
I've done this and seen this a dozen ways from Sunday. For every bad implementation of SPs I can show you a good one. Good coders write good code. Bad coders write crap. Sorry, but there is no one answer. For a compentent code mechanic, you can put it here or there or anywhere. All the same. (lots of "devil in the details" goes here)
Having said that, tiering is a great thing. Use it when you can for better code maintainability. But at the end of the day, you usually end up with business rules all over the place anyway. If you stick the business rules locked into the database, and lock out access otherwise, at least you know they'll always be executed. And that, of course, is the entire reason for having business rules in the first place.
I can argue this from every angle, which probably makes it a great slashdot topic! Endless speculating without any conclusion! (grin)
In my experience stored procedures are the way to go but please take care with maintenance activities. Since database objects can't list external dependencies like internal dependencies (e.g. views/procedures/trigger/etc). Without knowing the dependencies a certain about amount of fear creeps into maintenance work. The fear of updating a procedure and breaking other web pages (or the lack of time for analysis) sometimes cause copies of the same procedure to be create with slight changes but under different names. Over time these "new" procedure become a problem since it just leads to more "fear" of change. Fear is greatest problem when dealing with an application code base.
Of course with good execution and experienced programmers this (and all issues) are not a problem, but over time poor execution and less experienced programmers will compromise the integrity of an application design.
...she uses stored procedures like crazy.
I can definitely see the sense in this. Although it does make the db design more complicated, it puts a layer between your app and the actual tables and fields. That means that you can change the fields willy-nilly, and as long as your app's only using stored procs to get to the data, that's all you need to change.
There's whole books on using similar concepts in code.
Likewise, there is no reason for a web server to be doing processing... right?
Stored Procs allow the clientside portion of an application to pass queries to a Server-Side processing done by a backend "industrial strength" database housed MOST LIKELY, on a FAR MORE POWERFUL (in RAM + CPU hardware-wise) system than the client machines usually & far more efficient system for data processing (since the queries get compiled too) & return of said data in a return recordset to the client program & client system...
At that point? All the client program has to do is populate say, a grid (AND in the doing of this? I strongly recommend the use of the Sleep API to stall that grid population every 3rd record or so (this you have to tune for, & also this allows SOME users to have more "oomph" than others too, like mgt. which always demand this)).
This use of that API call for external-to-application multitasking & ceding of processor time between apps running on the client system vs. the amount of CPU time given to the middleware (program that passes data back to serverside & acts as interface to server dataengine) helps multi-user setups NOT so much on ordinary LANS locally located @ say, main company site? BUT MORE those that use say Citrix WinFrame/MetaFrame or Windows Terminal Server setups to NOT "lockup" each client node coming thru usually a single remote site pipe over the public internet (this type of solution is often used to save money & create what I call a 'cost-effective 2.5 tier application... it works like a dream, & keeps the client rigs from sailing up to 100% CPU use one by one because on Citrix/TS? They share a SINGLE desktop & middleware technically... you flood that single instance? In effect, you DDOS your citrix/ts desktop shared access point... I've seen it happen, this cured it, & drove clientside remote TS user rigs CPU use down to 4% each from 100% each. Keep this in mind when designing!).
ANYHOW:
The clientside application, all it does using stored procs? Is ask a question & passes it to the server via middleware (how you pass data to/from dataengine on backside), the server-side dataengine processes it, & send the client back its answer!
Most efficient, most effective, & keeps business logic off the clientside app. as well especially in multi-user environs which most apps of this type? ARE!
APK
Actually I fit both molds.
I do PHP and use "static" mySQL in code blocks for my personal sites.
For my day job, I tend to use ASP/VB and perform most of my calls within massive stored procedures - often times creating multiple temp tables. Generally my databases have >10M rows in the primary online tables (not to mention some archive tables), so stored procs work well there. I use MSSQL, DB/2 and IMS interchangebly.
I tried out the stored procedrues in PHP5 and wasn't impressed. Since I'm coming up with a new online app in PHP/mySQL, we decided to go with "quasi" stored procs where we have a php page that can accept "parameters" and generate the SQL code accordingly.
The Kai's Semi-Updated Website Thingy
Besides the optimization the DB might do on SP's as opposed to dynamically created SQL statements, SP's are nice from a security point of view.
:).
You have to be extra careful with dynamic SQL due to SQL injection bugs that we all know about. This isn't really an issue when you're dealing with stored procedures that take defined data types as opposed to creating SQL on the fly based upon your data (which could have injected SQL).
Controlling which DB accounts can use what stored procedures is also handy mechanism for determining permissions. Stored procedures represent what all your application might do, so picking which DB connections (which have credentials) can access these is a nice place to control those permissions.
Granted, you can still do lots of stupid things to mess up security
Also, there are places where SP's are not really possible. Severely dynamic reports are a good example (assuming you allow that functionality in your application). There's definitely times when you HAVE to generate SQL on the fly. In any event, try to create a "data access layer" in your code and if you have to dynamically generate SQL, run all sorts of checks on it with regexp's etc to check for injection.
1. Each vendor has a special language for stored procedures that is incompatible with other DB's...so it's a vendor lock-in mechanism.
2. Stored procedures which are triggers operate in a weird out-of-phase universe where they can do stuff before, during, or after a transaction. Yes, this makes them powerful, but the transactional behavior of the procedure depends on the context in which it is invoked. So you end up making a mental map (it never seems to be documented) of which SP's operate in which phase. One odd but effective way to deal with this to put the word "before", "during", or "after" (optionally row also) into the name of the stored procedure.
3. It kind of breaks the (sometimes adhered to) idea of keeping a clean separation of the algorithms from the data, in the same way that writing into the instruction cache is best not done.
One case where I find that SP's can be useful for storing business logic is when your system will have different front ends using different technologies. For example, if you have a web frontend with PHP or Java but also have a rich client written in .NET or VB.
Of course you can also solve this using an additional tier (like an app server and use web services) and it could be easier to maintain, but if performance is too much of an issue, then you could go for SP's for some of the logic.
I don't think it has to be an all-or-nothing decision, though. You usually end up with some logic in the app code and sometimes some logic in SP's.
Go hug some trees.
Use Hibernate (or an equivilant) and never worry about either again.
But for big apps - say like www.bigbankxyz.com - what really matters is robust stability and the abilty to tune app performance over time. To do this you need to build a layer of data access objects that abstract and wrap around the SQL or SP.
With a data object layer your frontend folks can then use these objects to do things like:
accountbalance.retrieve acctno
in the page code.
The big advantages in addition to simple productivity are:
1) If the underlying data source or even the source system changes you can update the data access objects and the frontend folks are fine and oblivious
2) If your site has performance issues you can selectively build data caching into slow objects (queries) after deployment and the frontend code runs faster without any code changes
3) You can apply a number of load balancing, regionalization, clustering, fail over etc strategies across frontend servers by manipulating the objects while the page code, again, stays the same
On the other hand, it's not worth the effort if you're always going to have only a few developers running a two server (webserver and DB) setup.
"Knowing everything doesn't help..."
Stored procedures can be good for programming logic that uses the database and that should be the same across multiple applications.
"When the going gets weird, the weird turn pro" -- HST
Stored procedures are definitly a good idea once the requirements/design are finalized, but it's a hard arguement to make while developing unless the developer also is the DBA. While some may argue that it enforces better design up front, I would remind you that most requirements/designs rarely make it from paper to code unchanged, and the development costs both in time and talent are significant with stored procedures.
If you went with stored proceedures, everytime there is a business logic change, or requirements change, your front end/business logic developers would have to wait until your DBA makes the appropriate changes to the data layer before being able to continue. For me, that's just too much wasted time
With most applications that i've done, one of the major requirements is database interoperatability. I've always been asked to make my systems portable between at least Oracle/Sybase/SQL2K. With that requirement, you would need someone trained in porting stored procedures in both PL-SQL, and T-SQL. Once you start adding in less familiar databases ( MySQL/PostgreSQL/SAP etc ) things get dicey quickly. The talent required becomes much more expensive and difficult to find.
Contrast that with writing your business logic in pure SQL92. Database porting this way is simple. translate the tables. watch for weird database quirks. translate your value objects. done. If you use java, then things are even easier now with O/R Mapping libraries such as Hibernate, Castor and JDO.
If you want the best of both worlds, and you have the skills required, just put the SQL in the code, but write it in TSQL/PLSQL as if it were a stored procedure. That way it's easier to develop, and when it's time to write the stored procedure, it's already half written. Just remember that there are very few instances where the performance requirements really justify writing a stored proceedure. Be smart where your optimize your database.
A friend of mine worked at a company that put a lot of logic in stored procedures. And, when development was done, kept one cheap programmer and a DB guru. Everyone else was layed off. Could be cost effective i suppose.
I'm an Oracle DBA, and I like creating packages of stored procedures and functions (and especially table functions) that represent an API of sorts to the database. This means that the application code doesn't care how the data is stored, and the DBA is free to rearrange the data for tuning purposes, without requiring any app changes (assuming the API remains constant).
In the past I've supported keeping more of the business logic in the database, but I no longer believe this is an optimal design. Now I keep business logic out of the database as much as possible and limit the stored code to enforcing data integrity and making the database look like a "black box" to the apps.
I've found that, say, writing an app with a lot of code in Oracle PL/SQL, using cursors, etc, means your app will only and forever support Oracle, without a whole lot of re-write and likely re-design.
So unless you like vendor tie-in... stay away from db-specific stored procedures.
MORTAR COMBAT!
triggers that keep history tables
triggers that keep referencial integrity that a foreign key simply can't do
stored procedures that loop through large amounts of data that only return a small amount back
A stored procedure can be an evil, evil thing:
implementing complicated algorithms that can't be debugged
creating HTML
I've seen both sides. It's like asking if javascript is a good thing for web browsers.
John, who gets a 503 when trying to log on
Stored procedures are a performance optimization, consider the following scenario:
Retrieve the 20th page using a page size of 50 records for all the SKUs under a catalog (potentially millions total) for a specific user which could or not have visibility permissions for each SKU. Assume the security provided by the database is too coarse to fulfill the business requirements, therefore some set of rules must be evaluated to determine SKU visibility for a particular user.
That query would normally be very fast if implemented as a stored procedure because:
1) Only one round-trip is needed.
2) You don't have to move all the data to a middle-tier and then filter out information.
3) RDBMSes are usually faster at filtering data out (by using indexes, denormalization, etc.) that what a developer could code in a middle-tier to filter out information.
4) Most RDBMSes are very good at scheduling tasks, caching, managing memory, etc. The more you move logic away from it, the more you would have to implement it yourself.
You could send all the SQL statements to the database and achieve the same effect, but it might make debugging harder and you still have all the SQL logic in some place, only a different one.
On the flip side:
1) It's harder to write stored procedures than it is to write code in a managed language like Java or C# (thirty-line SELECT statements are not very intuitive).
2) Generally speaking, the compiler of a managed language does a better job at catching errors than a compiler for stored procedures, where a lot of the errors will be caught at runtime.
3) Stored procedures are not portable.
My advice is, if you are only using the RDBMS as a persistence device and your data size is not huge, avoid stored procedures and create some sort of middle-tier object model. Only when performance is a impediment, use stored procedures. You might as well use a hybrid approach, try to model as much as you can in the middle-tier and implement stored procedures for those tasks which are performance intensive.
I work with people that worship UML and patterns as well with RDBMS Gods that can plow through pages and pages of stored procedures without blinking. As much as I love ULM and patterns there are some tasks that must be done in the RDBMS for performance reasons, and tasks that are simply more maintainable when done in the middle-tier. Both approaches have advantages and disadvantages, the trick is to use the best approach according to the situation.
SP's are the poisoned apple... shiny, polished, better benchmarks, they seem ok, and, besides, everybody is doing it, right?
Any SE on a large project will tell you: stay clear of SPs -- no matter what the DBA's say in the meeting.
...mmmm, poisoned apple.
As a programmer, I find that making a change to a query or table can cause me rewriting code in every application I've developed.
With stored procedures, I just refence the stored procedure name and leave the query tinkering to a DBA.
The only thing that I have to make changes for is when the DBA changes a column name in a table or a parameter for the stored procedure. Also when a stored procedure is in use, and it needs to be changed, I have to make the program use a second procedure name and switch procedure names each change, because if the procedure is changed as my program is running, it will break if a parameter is added or removed.
I had to work on a docket calendar program for a law firm and we used stored procedures with the reports. The managers and lawyers were always adding things to the reports which needed changes to the stored procedures. We eventually maxed out the max number of tables allowed, and each stored procedure was five pages long with if else statements because of all the things that the managers and lawyers wanted.
Using regular queries would not work because of the flexability that T-SQL had to meet the law firm's demand. MySQL would not have cut it. The reports were in Crystal Reports.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Architecting? Why not use the much simpler (and... REAL) word "building" or "creating"? That's sort like saying, "Were carring up to the mountains this weekend." "Driving" would've worked much better.
This question is almost as old as computing itself.
You want to have your logic physically close to the data. Stored procedures is one way to achieve that.
It is a balance to strike which very much depends on the application. So I don't think there is good/bad.
If I had an application that needed to crunch a lot of data that is stored in a database and the logic is such that it cannot be expressed declarative (i.e. a SQL query), than I have no choice but using stored procedured or to ship large amounts of data between the database and the Application.
Stored Procedures. What are they all about? Are they good, or are they whack?
The style in which you manage the project is how you decide. If you do lots of planning on your db apps, you'll find it easier to put data functionality in the database as stored procedures, and you'll put your methods for getting and displaying the data in your web code. If you are just throwing something togather, stored procedures slow you down because you find yourself making adjustments to them to support additional fields or features, causing you to re-test all of the previous calls to that store procedure to be sure they still work.
I have developed in major environments. I have been a DBA and a dev. I have spent some time going through the pros and cons of this question. Over the years, I have come to believe:
1. Nearly all the valid arguments in favor of stored procedures have lost validity as technology has shifted.
1a. Arguments like the one for compiled apps used to make sense. These days, apps tend to be n-tier web apps, so the compiled argument goes out the window.
1b. Argument like "stored procedures provide atomicity" were never valid. Atomicity is attained via transactions whether you use SP or not.
2. SP rely on a single implementation of a sometimes arcane language. Such implementations can almost never advance the way independent languages can. PL/SQL will not get the same advances as say, Python. Oracle's implementation of Java will not advance as well as Java in general. If you have a stored Java procedure, you're stuck with how Oracle does it. If you write an external procedure, you can choose the best JVM available from Sun, IBM, Oracle, or whoever.
3. SP centralize your code. Many people see this as an advantage. I see it as a disadvantage. Every single SP must be executed on your DB server/cluster. If I have a single puny P4 DB server behind 4 load-balanced app servers, I can distribute the load of the external procedure across the 4 app servers. I can load the DB with super fast disks and lots of RAM and modest CPU, then load the App servers with no disk, lots of CPU and decent RAM.
External procedures allow me significant flexibility in my architecture. They allow me to develop in the most effective language. They allow me to use collaborative tools more easily. They allow me to load balance in almost any way I can imagine.
I only rely on stored procedures for 2 things:
1. Transactionality
2. Performance
For everything else, middleware is better. This can mean web services, message queues, etc.
1) Hardware budget.
The company that I used to work for had a large investment in applications servers that at one time ran their own individual database engine. When they made the decision to convert to Oracle they found it quite a bit cheaper to leverage this existing harware setup and spend far less on a few database servers and keep business logic in a middle tier.
On the other hand, if you only have budget for a database server and a webserver, you are far better off keeping business logic OFF of the webserver itself and securely behind a firewall in the database server (you do have a firewall between them right?). There has yet to be an unhackable webserver.
2) Human resources budget.
Pure database developers demand more money than straight programmers. Also, the more workload you place on the database, the tighter you need to have it tuned. DBAs are some of the most expensive IT people out there.
3) Flexibility.
I have yet to see any stored procedure language that can as easily do the same logical tasks and with as few lines of readable and maintainable code as a C++, VB, or Perl program. This is not to say that one can not writed unreadable and unmaintainable in these languages - bad coders come in all flavors.
Far more people know one of these languages and that is part of the reason for the market factors behind them being cheaper. Plus this eliminates the weak link in the chain scenario if you can afford 3 of these type of programmers for every 2 stored procedure programmers.
4) Performance. Yes stored procs run faster than ad hoc SQL. But there are a lot of things that a DBA can do to make ad hoc SQL run faster with query caching.
Your developers should all be familiar with the concept of bind variables too. More often than not, the same queries get executed again and again with minor changes in a WHERE clause. Bind variables can mean orders of magnitude performance difference in these situations where business logic is kept in a tier that isn't the database tier. Not to mention that bind variables are one way to help avoid SQL injection attacks.
Proper (some might say clever) use of local storage and state in a tier outside of the database for commonly used data can eliminate the need to hit the database as often.
Like I said, random thoughts. Mod how you will.
Stored procedures can be created as having the rights of either the current user (eg. apache) or the person who wrote it (eg postmaster). Thus write a stored procedure that can access things the webserver normally can't, while doing some required security checks and not giving access to everything.
I'm asking for it, aren't I?
Personally, I think way too much stuifdf is stored in RDBMSs. I work as a Java programmer in a non-IT industry, and everyone is happy-go-lucky about making every object map to a table. But its a huge impeadance mismatch. We have layers of DTO, DAO, VO, etc. in the way.
I think the world would be a better place if most of the typical day-to-day was stored in an object-oriented, transparent database, and the relational database was left for storing things where an RBMS really shines (arbitrary relational queries, etc.).
Once you've gone the way of an OOBMS, you have objects, so naturally all of your logic stays in your objects. The fact that your objects happen to be persisted for you is irrelavent. All you car eis that you have your objects.
As DBA's I like to see stored procedures so I can gain a better understanding of how the application works. Depending on the application it may be easier to fix/improve a stored procedure rather than application code.
In reality, I don't think alot of people use stored procedures for inhouse applications. Alot of application vendors these days are trying to bypass database specific features for database portability. That may sound good but what you have then is an application that doesn't take advantage of the database which usually results in decreased performance.
For instance, Peoplesoft (if i'm wrong, someone please correct me) doesn't use sequences when its plugged into an Oracle database. Instead they use a table and when they require a unique value they lock the table, increment the appropriate row/column and unlock the table. This may be fine for a few users but for a mid-sized company locking issues are a major issue. Unfortunately for us this isn't addressed until the next version of peopletools and they seem to have an allergic reaction to backports.
The big reason for putting your SQL in the database is because most developers unfortunately don't understand how to write efficient and good SQL. If for instance, you have a PLSQL developer on your team (s)he will understand how to do this. Also, by using stored procedures you will be able to take advantage of all the database features.
Good Ask Tom article which sorta talks about this issue.
Unless your using a 'free' rdbms like mysql or postgresql a database system is a rather large investment. Your not going to be able to cutover to a new environment in a flash for reasons other than application dependence. If your company is anything like ours you have alot of $$ invested in training and experience. Its not a decision to take lightly.
One thing superid asks is In addition, you either have to have a dedicated T-SQL or PL/SQL coder who then is the weak link in your coding chain,. Like I mentioned above most developers can't write good/efficient SQL, so as long as your hired properly then your PL/SQL developer shouldn't be the weak link. (But don't get me started on hiring practices, most interviews are a joke and rarely ask difficult technical questions even for senior positions.)
"Thanks to the remote control I have the attention span of a gerbil."
...is because microsoft didn't write it. SQL Server is Sybase.
Especially for a web shop.
I run web for a medium size telecom, and recently hired two people. I questioned all the applicants extensively about web security and just about none of them had anything remotely resembling a clue. Most of them listed web sites they'd worked on on their resumes, and more than half of these sites were vulnerable to both Form and URL SQL injection attacks, which are largely (in our case, completely) defeated with stored procedures.
(Even more of a good thing when the PHBs insist on being an MS shop...)
Like everyone has already mentioned, if it's a server based application that doesn't have to be pushed out to a ton of clients, using or not using stored proc's doesn't make a whole lot of difference.
Any enterprise level application that is going to be used throughout a large organization now-a-days almost requires a possibly lightweight web interface, more robust or heavy weight application based interface.
Using the same routines to access data makes stored procedures a godsend when trying to share functionality at that level.
With the heavy use of webservice like technologies now-a-days, you could really put those in place of (or in conjunction with) stored procedures and have many different interfaces like personalized list of products/prices for a client, and an application interface for those on the LAN that may do some very data intensive or transaction intensive work, and more heavy duty web interface for those on the road.
Having all the raw data access in one area, no matter how it gets accessed, makes things much easier.
Just my opinion, i've really come to rely on them when it comes to something more than a small website type solution.
<end/>
Let me start out by saying, developers work well in there chosen language but the difference between the code and schemas I have seen between people that understand databases and people who code apps/web pages/middle tier objects is quite shocking. I wouldn't sit down today and pretend to write ASP, PHP, Python code, etc. and be in expert at it. Quite frankly my code would probably suck.
A few bullets
1. Application coders write suck performing SQL and running SQL dynamically makes performance problems worse
2. Forget your pipe dream about writing SQL one time and running it on all database platforms, the SQL is so generic and so inefficient that it inherently leads back to number 1
3. Its better to enforce data integrity in the database, coders who leave all their code in ASP and middle-tier objects don't put things like foreign keys on their tables, have flags flipped incorrectly, and wonder why there are orphan records all over the database. True story, during a conversion of another bank's records I found a customer hadn't been billed for approximately $70,000 worth of interest because of poor data integrity
4. Rolling out changes to stored procedures is much easier then pushing out changes to application code along with being easier to unit test
5. Stored procedures facilitate the use of transactions and set-based operations
I have found VERY few app coders (10+) that actually could write good, clean, efficient SQL code and design schemas to match. The problem lies when you're dealing with a large data-centric application, ALMOST ALWAYS YOUR PERFORMANCE ISSUE LIES IN THE SQL! If you have someone writing dynamic SQL looping through a 500,000 record resultset doing something like this (this comes from an application we purchased), your performance will be horrendous:
BEGIN TRAN
UPDATE IAR SET ARIBDATE = '7/30/2004' WHERE ARRECID = 38196.810543788582
COMMIT TRAN
Your application coders will write this sort of crap instead of using one set-based operation and you will all wonder why your application takes so long to complete an operation.
Your best bet, find two or three good SQL developers and have them do traces and find out how many of those 3000+ stored procedures written actually are getting used. My guess is a whole bunch of them are not being used or just were never cleaned off after their retirement. Next, go in and let them figure out how many of these procedures are one-off of one another, you probably take out a good 20% from there. Now you're getting towards a more manageable number. Very few people are good at database development. It is a unique skill set that can have a major impact on the maintainability and performance of your application. Stay with stored procedures and find some additional database developers if you need them. Let your app and web coders code what there good at, let database developers code what they are good at and you will have a wonderful application.
Use s-procs for maintaining the data integrity only !!
1) Centralized code
if you want to support all the RDBMS you mention then it's obvious that the code is not centralized using s-procs. You have to maintain 3 different versions of s-procs (Oracle,MSSQL,DB2)
Second you code, in some languages oriented in set logic, problems that are mainly procedural. The result is very poor IMHO in both speed and maintainability. If you use Oracle and PL/SQL the problem is not obvious, but if you plan to use MSSQL, T-SQL is the worst language i am aware (to the point i dont consider it as a language at all)
2) Compiled SQL is faster
Execution plan of Ad-hoc queries is also cached
3) Enhanced security
It must be really lazy the admin that demands to access the database using s-procs only. All RDBMS offer finer methods to secure the data than this.
and last
Since your application is "highly data-centric" using s-procs for data access is actually an SQL sterilization
No matter how clever you may code your s-procs nothing beats in speed and flexibility the adhoc (dynamic) queries, so the power that SQL has, is never delivered to you or to the end-user.
For the reasons mentioned above (speed, database control on the database where it belongs etc). But also because you can do things you cannot do in dynamic SQL. In ORACLE you can increment a sequence using dynamic SQL, but you cannot do this eligantly in SQL Server, which is a very big problem. The only way in SQL Server to get the ID of a row inserted reliably is to use a stored procedure which returns a record set or output parameter. Anyone who uses SQL Server for complex applications should agree.
Sometimes it is just not possible to obtain any decent performance without stored procedures. For example, suppose you have to do some complex calculations on a large data set and then crunch it down to a much smaller result.
Without stored procedures:
Application server - run a large select on DB, transfer a huge amount of data, crunch it. Very inefficient since large data transfer (usually done over network) is very costly.
With stored procedures:
Application server - simply run stored procedure on DB and get small results data set back. Much more efficient since no large data transfer is required.
"You mortals are so obtuse." -Q
Personally, I find Stored Procedures to be a very difficult thing to manage in the long term of software development.
If you are designing a web application, then I find it much more maintainable to utilize DAO interfaces & impls since this allows you to make changes that might be necessary should you experience an unexpected change in your environment.
Need to move from MySQL to Oracle? Simply override any db-specific code from your ANSI Impl, and go.
Although if there is no chance of an environment change, stored procedures become much more attractive.
Use stored procs when you have complex queries like reports at least. Putting those large queries in your code just looks bad.
On the other hand, you should never, ever put actual application logic in a stored procedure. The reasons are several. The most important is that stored procedure languages are all, to a greater or lesser extent, crap. This comment will cause me to be flamed to death by those who only know PL/SQL etc, but the fact is it's true. They are not general-purpose programming languages.
Sure, you might not RIGHT NOW want to fork off sendmail from your application, but some day you might. Or, horror of horrors, maybe you'd like to write directly to a system file? Or use a neat SNMP library you found? Although there are twisted, hacker-like ways to do these things in most DBMs they are hardly the model of reliability or professionalism. [1]
Secondly, they tie you in at a fundamental level to a particular database vendor. Database software is generally neither Free nor free. They want you to put your business logic in their stored procedure language because it will only run in their database products. Lock in is bad. OK, you'll be locked in whatever you do, but I'd rather be locked into Java or Python than PL/SQL.
Thirdly, you are losing control of your application's performance. You have very little control over how the code will be optimised or run.
Fourthly, you are breaking abstraction. It is very, very hard to write stored procedures which aren't entirely dominated by the structure of the underlying database.
Finally, assuming you probably will have to have a middle layer between the client and the database anyway, it's a bad idea from a maintainability point of view to bits of the same functionality among your layers.
[1] have you ever written a cron job to run a query to dump a table to a file to be parsed by a Perl script to send an email? You might be an Oracle Portal user.
The web is your current interface. If your app is 15 years old, you had another interface before. Don't believe this is the last one. Keep you SP and data logic in the database and it will grow even if/when your interface changes. You'll change/add interfaces more often than you will change databases.
pros:
easy to switch the frontend
maybe faster
Ability to add more security. Important these days when everything runs under "web/web" or "prod/prod".
cons:
no easy way to put under the source control - there is absolutely no way to be sure what exactly this particular installation is running. Too easy to change the source.
Flat, simple languages. No comparason with Java, etc as far as creativity, OOP, libraries, etc.
Different style of programming. Good SP developers are never on good terms with neither "enterprise" or LAMP programmers.
I started working on existing app 3 years ago. At that time the app was a 3 tier ASP/COM/SQL Server app, where all the DB queries where dymanic SQL in the COM layer.
For performance reasons, we started pulling the SQL out of the COM layer and in to stored procs. The performance benefit came not because the sproc is precompiled, but because we can pass all the data to the DB in one hit, and not have to wait for network round trips between each step in a multiple step process.
Say you have the classic 'pay money in to your checque account from your saving account' example. You're business logic layer will probably be something like:
1. start a transaction
2. get the current savings account balance
3. make sure there's enough money in the account to support the request
4. debit the savings account
5. credit the cheque account
6. write some log (so the txn appears on the next bank statement)
7. commit the transaction
In a typical 3 tier app, between each of the steps above there will be a network round trip between each step, which will take say 10ms. neither the DB nor the app server is doing anything useful in that time, they are just waiting for data to go back and forth over the LAN. But you've got uncommitted transactions, which means rows or tables are locked so other processes have to wait.
So anyway, in order to scale up, we had to put all our business logic in to sprocs. The downside of this is writing stuff in TSQL in Query Analyzer means you don't get any nice IDE perks like code completion & intellisense etc.
The thing about having a DB guy is a red herring - you've got to have someone write SQL at some point, whatever layer you put it in.
In my experience, this is a difficult question to answer. There are many factors that you should consider in making a decision to use all stored procedures or not.
First, every business has different needs. Every software development group is also different in what they can or cannot provide. There are camps on both sides- many people in the database discipline will say "put everything in the database" while hard code developers will sometimes opt for queries in code.
Some considerations:
1) Consider the needs of your application. Is there a good chance your application will need to talk to another database platform or backend at some point in the future? This could be an argument for not using stored procedures. AS far as centralizing business logic goes, that can be done in just about any tier.
2) Where is your current bottleneck? How possible will it be to scale out your database server? If you are in a web farm scenario, your database server may be under significant load. Putting more logic on the database server can be a lot more expensive- it is typcially a lot cheaper to sacrifice performance on the backend for scalability. In other words, if you can keep your database server relatively load-free you can always add more web servers. I currently support a site that has over 2000 concurrent users at any given time, and currently our DB is the biggest bottleneck. It is a lot cheaper to cluster web servers than DB servers, since the DB is centralized and web servers can be duplicated easily.
3) Consider the experience of your staff and the culture of your IT department. If you have a lot of developers/dba's that are used to programming with stored procedures, and management is used to that paradigm, it may be difficult to change architectures without a compelling reason. "If it ain't broke don't fix it".
I'm sure there are other considerations, but those are probably the most three important ones I can think of right now.
Is it just me, or are stored procedures used mostly for trying to shoehorn non-relational data into the relational data?
You know what I'm on about.. The umpteenth stored procedure to do some recursion to manage some sort of tree in a rdbms. Can't do recursive SQL (usually), so we'll solve it in a stored procedure (rather than take a small performance hit and sort it out in the application logic), because a tree just doesn't fit all too well in a relational model (unlike, say, in a hierarchical model)..
While I'm sure pros love the optimization capabilities SPs give them, and some might enjoy the abstraction that can be achieved, I think this is what suckers most people into the SP camp..
(Of course, SPs can be downright evil, in that they encourage vendor lock-in to quite an extent, but then, switching to a different RDBMS is hard anyway).
SCO employee? Check out the bounty
If you dont have the luxury of using a clustered setup like Oracle RAC your DB will always be the performance bottleneck and and the toughest spot to scale.
IMO, SP's that are used to implement business logic are not optimal to get the best scalability out of your architecture.
Logic costs performance, thus the DB load overall increases.
Applications can be created so they can work joyfully in loadbalanced architectures, DB's are much more expensive to scale this way.
Version control with SP's is a freggin headache.
Logic IMO should stay in the code, the DB stores data and ensures data integrity.
"Architect" is a noun, not a verb.
DBA: "I think we should use more stored procedures"
Project Manager: "That would be consistent with our n-tiered strategy"
Programmer: "But all of our business rules are in object libraries"
Division Manager: "Could I get the ranch dressing? Thanks."
DBA: "The right way is to put business logic in stored procedures. It's faster"
Project Manager: "We're standardizing on faster programs across the enterprise"
Programmer: "But we'll have to re-write the entire system!"
Division Manager: "Pass the pepper. Thanks."
DBA: "Oh, that's alright. We were going to upgrade the servers too. We can finish both jobs at the same time"
Programmer: "We're upgrading the hardware too?! So basically we're building the entire company from nothing again, right?"
Project Manager: "You're not being much of a team player"
DBA: "The new system will be more robust and have new features"
Division Manager: "Lets get the system built as soon as possible. We're laying off the entire division in a few weeks"
Programmer: "WHAT?! I just signed a new car lease!!"
Division Manager: "Pass the croutons please"
Business isn't willing to pay for products, innovation and careers, so we get brands, mortgage commercials and layoffs.
In our enterprise, SPs are the norm. I've also worked on projects where embedded static sql with host vars was the standard (high volume order processing app), and where dynamic sql was the norm (quick build web site).
As with most architecture choices, SPs have their place. Here are the guidelines we try to enforce:
1. For online actions, KISS. Do data access only, unless the alternative is incredibly difficult biz logic in the app when it would be simple in the SP.
2. For batch, SPs are okay, but you must use cursors, checkpointing, control table, etc. In short, a proper batch arch.
3. Keep dynamic sql in the SP to an absolute minimum. Exceptions must be approved by God.
Despite the guidelines, main issue we face are shitty, unmaintainable SPs, where business logic is spread between app logic and SP. Second issue is unreadable SPs because they are building dynamic sql and executing it. Bad, bad, bad.
Whether or not the compile time affects you is another decision. If you can throw cash at the problem, more CPU is often a pretty good answer and cheaper than a good programmer. If you're trying to run your website on a 486, well, SPs are a better call.
That said, you missed a number of advantages of SP's, most of which have been covered in other posts pretty thoroughly. Still, the "flip side" to vendor lockin is that it's possible to perform some significant, vendor-specific optimizations. A good Oracle DBA understands the data structures and the way they are accessed at a low level, giving him/her the opportunity to write code that does the right thing, all the time. This low level code that encapsulated basic logic can prevent a lot of silly mistakes or poorly written code.
One DBA can make the SP's for a whole lot of Java,PHP, or whatever coders and make their life much easier. Since the DBA is ultimately responsible for the DB performance, it's preferable to give them the visibility into the code they need to keep everything running well.
Does this create vendor lockin? Absolutely. If that's a big concern, you should probably not use them. If you need to squeeze the last bit of performance or reliability from your DB, then vendor lockin might not even be a consideration. Just buy the best and fastest DB (and DBA) out there and don't look back.
A good discussion on this topic can be found at this blog entry: Don't use stored procedures yet? Must be suffering from NIHS (Not Invented Here Syndrome). The content of the blog post (by Rob Howard, a former Microsoft employee who most definitely knows his stuff) is definitely a good read, but the real gems are in the comments, which there are plenty. There's an equally interesting thread on this discussion by another blogger with his entry called Stored Procedures are Bad, M'Kay?. Both worth reading, if nothing else for the comments.
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
I know there are exceptptions but in most cases....
1) Stored procedures are not written in an object oriented language and are almost always not written in an object oriented way.
2) Stored procedures are not checked into a version control engine.
3) There is no sane way to organize them beyond manimg tricks. No breaking up your stuff using directories for example.
4) No global compilation. No way to check ahead of time whether you just broke another SP by passing a string instead of a number in as a parameter. You won't know that till it runs.
5) No unit testing frameworks.
6) No cohesive way to examine code flow. What you end up with is a mountain of code snippets scattered all across your database. Cross your fingers and hope each step gets excuted properly.
7) No real debugger. No stepping through the code, no breakpoints, no watches.
8) Most commercial databases charge you per CPU. This means your CPU cycles are best used to keep data integrity, process queries and return recordsets. Most middle tiers are not licensed on a per CPU basis so you can afford to throw a lot of CPU cycles into executing code.
9) Last but not least you can couple your middle tier using a high speed interlink so there is no real need to use SPs.
Feel free to add to the list. SPs are not good.
evil is as evil does
having your apps portable across DB's is one of those things people always think is important but in my experience it's a total crock for an app that is going to be installed in a single location, i.e. a commerce website or an enterprise specific app.
.Net.
You are just as likely to want to change your middle tier as your DB. More likely, in my opinion. If your business logic is in sprocs, then it's as easy to call from Java as it is from
The answer to this types of question will always be "it depends." I personally use all kinds of stored procedures. It is far more easy to secure a database based on sprocs and views than it is on the table or field level. So sprocs bring security to the table.
If I'm doing an operation that would be better suited "close" to the data, the answer is again stored procedure. It saves you round tripping that data back and forth potentially multiple times. You also get the added plus of the procedure cache, but honestly products like SQL Server 2000 already do an excellent job of caching ad-hoc statements.
Probably the best case against stored procedures is if you are using an O/R tool that generates code dynamically based on your tables and rules that you set up.
I'm not for putting all your business logic in a sproc. That's a bit silly. If you are concerned about having to update clients if it changes, you might want to look into developing some middleware components. It's pretty easy if you haven't done that in the past. I'm not for accessing everything via ad-hoc queries either. The risk of sql injection is too great (yeah, yeah I know your an expert, but what about that intern we hired to make some UI updates...), and security is just too difficult to maintain at that level.
Dream on, pal!
This is a hot-button topic for me, so I'll try to keep it simple.
When I came to my current job, my opinion was to keep as much of the logic in the application as possible, stored procedures should help make the developer's life easier, and make the database more robust (triggers mostly do this part).
When I came here, however, they forced EVERY SINGLE QUERY into a stored procedure, and like you said, it brought development speed to a halt, because every project was assigned "a database guy" to do the work, but there weren't enough database guys for the projects.
It was pathetic, and when our big layoff occurred (we got bought out), we found alot of really really bad stored procedures that the so-called experts made for us.
Worse, it makes code releases a nightmare, because not only does the codebase have to be updated, but the database too, every single time. Unlike code bases where you can checkout your latest release, with databases you have to a) find all the altered database scripts, b) package them up for the release, c) halt the database for the release and d) run the script at go-live and hope you didn't miss one more thing.
Mind you I still use stored procedures, views and triggers where they make sense (when it's obvious that it just belongs in the database), but mostly I try to put as much logic as possible in the app.
Now you want to make me get into NULL values and candidate keys issues too! Bah, no NULLs anywhere, #1, and #2, don't make up integer primary keys when an existing field will work. Don't let your database administrators talk you into it, I beg you!
Where I used to work we generated stored procedures for all tables based on the referential integrity and indexes defined in the database. This code was regenerated when the data structure changed. Along with this code a set of small classes to allow simple (typed) access to the data were also created. The classes also supported batch updating of mutliple rows for a set of data.
These generated procedures allowed for the majority of data access that was required to be done using all the benefits of SPs without having to write them, and made the number of SPs that needed to be handcrafted manageble..... From the application side where the logic was enforced the interface to retrieve and save data was very clean and neat and typed.
I work with several in-house database applications implemented using PowerBuilder. They run against a Microsoft SQL server.
We decided to use stored procedures instead of inline SQL so that we could make modifications on the server instead of having to change the code in the application, recompile it, repackage it and deploy it to over 100 PCs.
The drawback is that it's not always easy to know what's going on because the application is broken into various parts. That is there are business rules being enforced in the PowerBuilder code and in the stored procedures on the server. I guess once you get to know the application really well it doesn't matter but it can make it a real pain in the ass for a new programmer.
The race isn't always to the swift... but that's the way to bet!
I am working on a few fairly complex Filemaker databases and for many functions, stored procedures are the way to go.
If the calculation needed is fairly comples, I prefer to do the work at runtime using scripts. That allows me to tweak the results for the situation the user is in when the function is called. If it's something simple like percentages, go for the stored procedure. It's simpler. Set it up and forget about it.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
1. You're relying on the external process for all your data anyway - if the app screws up data, it screws up data.
2. Stored procedures are hardly immune from sloppy programmers who don't understand data relationships.
3. Stored procedures are prone to being hacked by DBAs with no concept of software CM or development processes....
The big downside of stored procs, from a system administration point of view, is that they make it difficult to migrate to a different brand of database. Let's say your organization just bought a brand spanking new Sun Fire 9990000 and it's got Oracle 20i running on its 512 processors. You've been granted permission to move your application onto it!
Scenario A:
You didn't use stored procs. You migrate the data, change the DSN's on your app tier, and you're done.
Scenario B:
Not only are you a moron for choosing MS SQL Server, you're a double dumbass moron because you wrote lots of stored procs and triggers. Now you can't just move the data because every RDBMS uses a different language for stored procs. If you're lucky, there might be a conversion tool. If you're really lucky, it might even convert 50% or more of your code without errors. But you're in for a lot of work.
Tired of FB/Google censorship? Visit UNCENSORED!
How large is your application? What architecture are you using? Are you using an application server? Does the application server manage persistence? Is the application distributed? Is vendor lock-in an issue with your database? Do you have a staff of knowledgeable DBAs to code and debug stored procedures? Do you have a strategy for passing exceptions to the business tier? Is performance really that much of an issue?
.NET stored procedures, but that's all fairly new and I'm sure there's a catch somewhere.
Some things to consider:
There is no standard (or convenient) way to pass or return complex data structures (objects, arrays, etc.) to and from a stored procedure.
Stored procedures can return cursors, but implementation differs from databas to database and driver implementation to driver implementation. In my experience it's more trouble than its worth.
Application servers nowadays have very efficient persistence management that monitors object properties for changes using dirty flags and whatnot. Tools such as Hibernate can even track multiple of changes to object in memory before actually committing the data to the database, reducing the number of transactions, which may increase performance more than a stored procedure.
Stored procedures aren't good at logic. The looping and conditional structures are very primitive in most cases. Oracle has Java stored procedures and SQL Server 2003 has
It's always more difficult to debug a stored proc. You can't exactly compile it -f and run it through an IDE. You'll have to use printlns or SQL traces in most cases.
Transaction management can get complicated using stored procedures. Many application servers/environments have transaction management through message oriented middleware...if you build all of that logic into stored procedures then that defeats the benefit of using configurable transaction management.
Stored procedures can be good, but they are really at their most useful in 2-tier architectures (client/server) on set-in-stone platforms. There is a lot of PowerBuilder/Oracle stuff out there, especially in the Government, because Oracle ain't going nowhere.
Personally, I'd avoid them (makes everything simpler and is the most flexible option), but it's up to you. Use constraints and triggers (where you have to) to ensure integrity, but handle business logic in the business tier.
Mods, how is this insightful again?
And on the large programs I've worked, I've seen too many DBAs who think nothing of going in and changing things on the fly on an operating system.
At least if your business logic is compiled into a binary, it has to go through some sort of CM process.
1) The DBAs
2) Junior Microsoft developers (typically VB)
3) J2EE developers (N-tier developers)
My experience has been that DBAs are usually proponents of stored procedures. There are two simple reasons for this.. familiarity of database engine and job security.
The Junior developers who typically develop two tier apps prefer stored procedures for performance reasons, because there is usually a big-a*s backend database server which can lift a lot of the data processing load.
Then there are the N-tier developers who are seasoned enough to pick the right architecture. These people prefer non-stored procedural approach. They understand that the database is a persistent store and business logic should be in the middle tier. It gives them flexibility to swap database engines and business logic modifications are localized to the code modules they are working with.
When was the last time you saw the CPU sustain a high load on your database server? Database machines are constrained by I/O (disk and network) and memory, not by CPU in most cases. Therefore, your 8-way SQL box is sitting at 10% utilization. Why not get a bit more use out of it?
Portability for the sake of portability is a waste of time. More importantly, given that every vendor has non-standard extensions, and the SQL definitions (SQL-92, SQL-99) don't go far enough, you'll find that you almost always need to use some vendor-specific features, whether you're writing ad-hoc queries or stored procedures. At least with stored procedures, you only have to change it in one place when you migrate, rather than changing it all over your code. Tell me, how do you add an AUTOINCREMENT/IDENTITY/auto-numbering column to a table in vendor-neutral SQL?
Says you. In my team, all of our stored procedures are stored in the same code tree as everything else, controlled by the same source control. We take it even a step further, and check in all of our database object generation code (tables, keys, indexes, triggers, etc). So, just because you don't track your stored procedures in a source control system doesn't mean it can't be done.
You're assuming that the speed benefit from stored procedures typically comes from the fact that they're compiled. While that's true, it's also not much of a benefit (you might win 50-100ms per query, yay!). No, what's more important is that your queries are centralized, so that you can optimize them more easily. What's easier to optimize: A single query to <insert operation here> in a stored procedure, with the procedure called by 100 different methods; or 100 different queries to <insert operation here> across all of your code? Yeah, sure, you can centralize that as well, but what's stopping a developer from writing his own query rather than using the optimized one you've already provided for him? With stored procedures, you can deny access to individual tables and force that person to use your stored procedure.
I only have one compmaint about usign stored procedures. Fro ma programmign prespective if can be rather difficult to debug queries when you add this extra layer between you and the underlying query. I highly recommend you decide on an elaborate naming scheme before you begin. It can be very difficult to 1) Look at a stored procedure and identify the code that is using it. 2) Find a stored procedure in your DB managment tool if you have a buttload of stored procedures. The more well defined the naming scheme the easier it can be to find your stored procedures.
I would recommend some sore of pattern like [Program Module]-[Verb (Select/Delete/Update)]-[Noun]... or somthign along those lines. Sorting out a SP with a name like "USER_ADMIN-SELECT-USER-BY-USER_ID" is much easier to find than "Get-User" or "SelectUser".
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Buddy of mine at work says that at his old job, they kept the stored procedures scripted in a directory under version control, and it worked out nicely for them. Haven't really pushed for it at current company, since the only source control is MS Sourcesafe...if we succeed in our Subversion advocacy we might go for it.
I'm a long term oracle DBA that has worked (and still works) for several large companies, and the general agreement is that business logic should be kept in the database, to ensure data consistency. Business logic can only be stored as a stored procedural object, because, by definition, business logic is procedure applied to data in order to conduct given business. Problem with holding the business logic in the application is that while applications have to access the data in the database, they may may have different understanding of business logic and thuc, very good chance of creating a mess. Putting the business logic in the database means that all the applications will have to use the database version of business lohgic.
The only major advantage of stored procedures that I can think of is that of reduced communication latency. So, if your query is particularly enormous (and sent zillions of times by jillions of connected clients over slow connections), then I *might* consider a stored procedure.
But, other than that, stored procedures tend to pose very big problems from the standpoint of maintaining an application that evolves over time. (I know, because I used to deal with this at a company that I worked at.)
Imagine, for a moment, that your Software version 1 has a particular DB schema, and uses a set of beautifully-crafted stored procs. Then, when you come out with version 2, your schema may have changed; so, as part of your software installation procedure, you now need to run SQL scripts to update the stored procedures. (If the code had all been in your C/PHP/etc. program in the first place, you wouldn't have to worry about that.)
So far, you're probably thinking: "What's the big deal? It's just a change to the install routine." True, but also not true. What happens, then, on the day in which your software installation routine dies or the user installing your software does something unexpected (e.g., power goes out, etc. etc.).
Well, I'll tell you from experience (and I've seen this over and over and over): your customer's multi-gig database now probably has half of its stored procedures working for Schema 1 and half for Schema 2. And your application probably works fine, until one day, when the user tries to do a certain particular thing, which then opens up a big black hole of nightmarish debugging & tech support doom.
I have seen variations of this happen so often that I have just become convinced that stored procs are not worth the trouble -- far better to modify your app, and keep all of the necessary SQL there (and in one consolidated place) than to have to worry about keeping the customers' DBs in sync.
1. SPs turn your database into an application server, centralizing things that needn't be, and raising load on that central machine.
And having all that load sit on an application server while also taxing your database server with poor performing queries is better?
2. SPs invite use of vendor-specific features, and therefore lock-in and loss of portability.
Unless you work for a software development company, I see the purchase of a core database server being one of those one-time-only purchases.
3. SPs are not typically amenable version control and are maintained outside the rest of your code base.
SQL Server and Visual Sourcesafe can be integrated together and all SQL scripts can be checked into your version control suite of choice.
4. SPs represent "premature optimization." There may be a time and a place for SPs, but they are used a lot more than needed in many applications. For example, one application at my company has over 1,000 SPs, and quite a number are just wrappers for simple select statements.
Would you rather write it once where you KNOW your going to get the best peformance or figure out at the end of your development cycle that your loop through 500,000 rows is slow performing considering that both cost you about the same amount of time. Also simple selects could be there for the purposes of security. If you run your applications exclusively through stored procedures when working with the database you can deny all rights except for the procedures to your application thereby enhaning the security of your application.
Sorry I must disagree with number 3.
Source control is rather easy to use with stored procedures. I do it every day. I have a 'dev' database with a snapshot of some data. The 'real' database is built out of the source control. So for my work to get in it MUST go through source control. I put that in place so people would stop 'hacking' the real databases. It cleaned up lots of big files laying around. Simplified installs and made changing things a snap.
Its only hard if you LET it beat you. Total time to make it happen? About 3 days of work. Time saved? I would say months of 'do you have the main file?' 'can I change this stored proc or are you?' 'who the hell did this?' 'why did they do this?'. Its all in source control the who what when and why.
Let's do some math here:
If you assume it takes you 4 hours per procedure, that's a bit more than 2,000 hours total time. Call it a man-year.
Now, your program will need to test all those procedures. Call that another man-year or so when you account for all the overhead of coordination between you and the testers (and all the other BS that goes on when more than one person is involved...). And you are going to test, aren't you?
Now we're up to two man-years.
It costs a company at least $100,000 per year to field a decent IT person (counting taxes, insurance, benefits, overhead like lights, heat, air conditioning, and computers...).
So, to migrate those 591 stored procedures just once costs damn near $200,000.
You could have just done the work in ANSI SQL and buy a lot faster hardware with that much money. And any time you want to change databases, you'd just have to modify a few makefiles to use a different SQL precompiler.
Does it really matter if my business rules are centralized in stored procedures or in a set of php/asp scripts (ie, in the web tier)?
Only if you care to reuse the logic anyplace beside the PHP/ASP scripts (I won't comment on putting the logic in these scripts in the first...won't even go there).
For example, you already have a bunch of SP's in your system. I don't know what you C/S clients are written in, and it doesn't matter. What does matter is all of those SPs are available right now to you as a PHP/ASP programmer.
In addition, you either have to have a dedicated T-SQL or PL/SQL coder who then is the weak link in your coding chain, or your pool of developers must become fluent in both your scripting language of choice as well as the SP language.
And you have that exact same problem with your HTML/Javascript/VBScript/PHP/ASP coders. How is this any different? You have to write SQL code in your pages anyway, it's a small leap to writing that SQL as a SP.
As for DB lock in, you're just as locked in to PHP or ASP, so how is this any different in that regard? You can't just up and move your PHP app to ColdFusion or whatever.
While DB portability is "nice idea", performant applications need to take advantage of DB specifics no matter what (whether it's SPs, query structure, or "hints", or special SQL syntax).
The way around that problem is to isolate your SQL. SP's give you a nice place to do that (since somehow I doubt you'll be doing that in your PHP/ASP code).
I'm a web programmer who's worked on databases externally, and built a few in MS Access, but my new job has a big ol' MS SQL Server database and my project has a LOT of stored procedures. As in, there's nearly no SQL code in the ASP at all -- just calls to the stored procedures.
This is difficult for me, because in order to understand the code I've inherited, I need to read it in two places -- the ASP page and the SQL stored procedure. Both are somewhat weakly organized and incompletely commented. I can do it, but it would be much easier for me if all that logic were in the ASP. That's the down side.
The up side, I understand, is that it's more efficient to use stored procedures. Many of them involve procedural logic in addition to SQL queries, and (I'm told) it's more efficient from a processing perspective to have it there.
I'm confident I wouldn't have any problems if the ASP code were THOROUGHLY commented, especially when it calls a stored procedure, to tell me exactly what was going into it and what was coming back out. In other words, stored procedures should be treated as included functions by a programmer and explicated somewhere outside the database to make the programmer's life easier.
Personally, I disagree with putting too much procedural logic in a stored procedure. It just doesn't seem to belong there. But if I'd started out in databases instead of in Perl, I'd probably have a different outlook.
Do you have them working at the moment? Last time I checked, the whole python side of postgres's stored procedures was broken (at least with recent python releases) due to Python's rexec module being disabled for security concerns.
Looking at the current online Python documentation, it appears that the latest python release still has rexec disabled.
I guess you could hack around this as long as you trust the code that you're going to be running, but it seems a bit ugly. Fortunately I'm happy enough with plpgsql for the stored procedures that I write.
And now you can thank God you didn't pick Sybase...
I agree with the point about including all business rules in a single location.
My tendency with data intensive applications is to put all of the business logic in Oracle stored procedures. I then have a variety of front end applications accessing the stored procedures. When the integrity of the database is the main concern of the application, I might write all of the business logic in a Java, PHP or C++ layer, hoping that no-one dinks with the data.
The big advantage of putting all of the business logic in the PL/SQL layer is that it helps make a very clean separation between the different tiers of the application.
On a related note, would you recommend Emacs or Vi for general text and code editing?
Your pizza just the way you ought to have it.
We find that database procedures (the ingres variant) are critical as they allow us to expand the capabilities of the various systems we run.
For example out finance system stores it's data in Ingres, and with the ability to create database procedures and set them to trigger on events, we are able to identify activity that is of interest and automatically export data. This allows us to link our finance system (commercial off the shelf product with no source code) with our inhouse reporting systems (full source code access).
It gives a level of functionality that would otherwise require customsing a commercial product (read $$$).
It also allows us to build smart audit code into the database that allows us to in a single place implement audit rules irrespective of what applications (past, present, or future) access and use data in the database.
Also, where complec transactions require a large amount of network I/O, and a view is not suitable, it is better to invoke the database procedure from the front end and just read in the data as it comes back, rather than sequence SQL transactions back to back, processing data at either end of the wire and throttling activity to match the speed of the network connection.
Database procedures rock !
Don't use stored procedures in your initial design. But also don't rule them out in your original design. Once you've implemented your application, remember that stored procedures are available as an optimization technique, if the portion which turns out to be slow is amenable.
There are trade-offs involved in using stored procedures; primarily that they are separate from your application code and therefore that two parts have to agree, and that it is more effort to modify stored procedures. They should therefore be used only if and when they provide a necessary benefit.
If your design rules out stored procedures, you'll probably have performance problems at some point. If you use stored procedures all the time, your DBA will never get a chance to optimize them (and the rest of the database), because you'll be constantly needing them tweaked.
It is actually worthwhile having stored procedures duplicate application logic when you use them, because then you can test their results against each other, and your application developers can follow what is going on; otherwise your developers will keep bugging your DBA and prevent her from getting anything done, you'll have to have someone less skillful write stuff while she visits relatives in China, etc. (not that I have any experience in this...)
As usual the answer is probably: That depends... If it's a one off application against a database that was built by a programmer and it will only be used in the "one application one database" scenario, it probably doesn't matter too much.
If it's important data that will be accessed by multiple interfaces/applications it's probably better in the database (performance/maintainability/resuability/etc). I've seen very successful deployments where the only access to the data was through stored/procs. The developers were able to focus on the application and the user interface and didn't get bogged down in religious arguments about database design and data management (which they probably had less background/experience in anyway).
In the end the developers liked developing code that way. All they needed to know about the database was inputs and outputs.
The main difference between SP and application servers is that SP in th DB grow vertically, that means you need more powerfull servers to run the logic, and the AS grow horizontally, which means that you can add more servers in parallel...
:)
With an AS is much easier to mantain and escalate an application
What I've found in most shops is people use stored procedures because they don't understand anything but the most basic aspects of SQL and it's the only way they can have nested loops without sacrificing too much performance. They don't understand how to use subqueries, outer joins, complex select logic, etc. So they break the problem down into multiple small peices or nested cursor loops. I simply don't buy the argument I've seen by other posters which goes "use stored procedures so you only return what you need". SQL will do that if you use it correctly.
Also, stored procedures tend to have limitations dynamic SQL doesn't have. For example, suppose you have a partitioned Oracle table that's using a data-based partition key. You can't create a partition from a compiled stored procedure without jumping through a lot of hoops (with associated ugly code).
As far as the speed goes - I don't know about other vendors, but Oracle caches the execution plan for dynamic statents, so if you send the same statement twice it'll run about as fast as a stored procedure. In any event in most business applications the query plan generation takes much less time than the actual query execution, so it doesn't matter that much unless you have a statement that gets executed thousands of times.
And you can get bit using stored procedures, too. If your statistics have changed drastically since you compiled your procedure you might not be using the correct query plan. Not a big deal for in-house applications, but do you expect your customers to recompile stored procedures?
Depends but,
Well i would only use them for simple tasks that need atomisity. Like autocounters. All other application specific datacode should reside in the busines layer. Or in the mapping layer if possible. It is the same as not putting busines logic in the GUI. There are exceptions, but you should think otwice trice or four times before using stored porcedures.
There are no stupid questions, Just a lot of inquisitive idiots. (from a good friend)
By having SPs, istead of hardcoded sql, a skilled dba might be able to optimize / update the query as teh database structure/organization changes. . .
You should use them where they're appropiate. For some things they're great, and in general I think using stored procedures and views for even simple things can bring great flexibility. For example it can be convenient to be able to fix bugs by changing stored procedures instead of distributing a new version of the program, and it helps writing good code too. Things look much nicer when the executable does the interface stuff and doesn't consist of lots of embedded SQL.
Also, they can bring huge performance benefits. For example, by turning the function that calculated an article's price (which depends on client, which may have VAT apply or not, may be discounted or not, etc) to a stored procedure.
The intent of the function was to get the final price. By retrieving such things as rows from the client and discount tables you're introducing unneeded latencies into your program which will now have to wait while this data gets delivered, used, and then almost certainly forgotten unless you implement some kind of cache.
By keeping all this stuff on the database server and only sending the result to the client you save bandwidth and time. My rewritten function executes more than 10 times faster than the original written in VB using ADO. By the way, if you really want to get the maximum performance possible in VB, first move the code to a stored procedure, then write a VB wrapper that caches the Command object. Turns out creating ADO objects is quite noticeably expensive.
I'd say the main considerations are:
Are you getting things from the database you will forget soon? If you will be retrieving data from the database to only use it temporarily in a complicated operation to forget it later, then it's probably better to avoid making it go through the network at all, so use a stored procedure.
Are you writing code with lots of SQL? If so, it'll look much prettier in a stored procedure than as a mess of string concatenation in whatever language you use.
Are you passing complicated data types? If whatever you're sending to the database is going to contain quotes, floating point numbers or dates, it might be safer to put the code in a stored procedure and call it with ADO or whatever you use so that it deals for you with issues like quotes in strings and date formats. Sure you can do that by hand, but it's very easy to try to send a number as a string by converting it with str(), forgetting that in some countries the decimal separator is a comma, and the SQL server won't like that.
Big, fixed queries probably can be safely moved to stored procedures and views too, just because huge joins that fill the whole page are often messy and distract from the main thing.
Now, one thing that should definitely go in the application is interface related code. I'd avoid excessive sanity checking in stored procedures, since that's often much better done in the interface, and some types of user permissions would belong there as well.
Also, big loops almost always should go in the program. Your server probably supports the use of cursors in stored procedures, but that has pretty high chances of freezing your application for a long amount of time with no progress report, and makes error handling more difficult.
To me this sounds like the argument for using assembly level code - faster, more control, etc. Things should be moving away from dependence on platforms. If you use stored procedures, then you can't take advantage of highly leveraged, portable and productive development platforms like Open for Business (www.ofbiz.org). Discussion about using SPs will seem pretty silly in the not-too-distant-future when all coding is done at higher levels of abstraction than it is now.
Procedural code and SQL code are two separate programming language processes. The first directs the computer from a singular point of view. For instance "do this, then that, then go here and check this. etc.". And the other deals with groups of items. such as "everyone wearing blue shirts go to room 103", or "we don't need these anymore".
As far as intermixing these code bases, your procedural business logic and data business logic should be split when it makes sense. The database is optimized for merging and managing sets of data, and procedural code is good for binding this to a functional form. The business logic should be split into these two zones and implemented appropriately. It would be inappropriate to return a set from a database then loop through that set searching for some name or value. And at the same time it would be unwise to return two sets and join them in your code. With experience it seams cleaner to maintain these two zones of code. This doesn't mean that you need to use stored procedures though.
As far as stored procedures, they are a convenient way of separating these two types of languages, another way is to in place the Sql code into your procedural code, but it seams advisable to centralize this type of code in one place for visibility, and manageability. If stored procedures are not available or undesirable, then using classes or function that are located in some central, or locatable place, is recommended.
As far as for speed, implementing the data and logic in the appropriate place will speed your application, but stored procedures will not in there own right speed anything up. At least in MsSql server, stored procedures are not precompiled. They exist as plain text, just like issued queries. They do however get their own query cache, separate for the issued query cache, which could be of a little assistance.
Anyways. I am over talking about this. Take it, as u wants it.
-- Grimace1975
Lets take a Web Application for example.
;-)
Strategy 1 : Front end logic : Bad.
Writing database logic in the front of a web application is bad, very bad. You are decentralizing bussiness logic and creating a maintenance hell. Every page that access data must be updated or changed for any small change in the system. Such strategy is very common with PHP and classic ASP for example. You are not only rewriting code but also possibly creating a security and consistency nightmare. The same code on a pletorah of pages can lead to small variations that could create anomalies in the data, and therefore ruin you entire system. Most of us start this way, and works great for simple apps. You can copy and paste code you find on the web and develop apps quickly. You must FORCE yourself to leave this style behind. It was VERY hard for me, but I am so gratefull that I did.
Strategy 2 : Back end logic : Good
Stored procedures centralize the application logic in the database. This is better than the first strategy, but still has very large limitations. For example, you begin your application with Postgre SQL, your system works fine, but then your application grows, and you decide to use another suplementary database server, lets say MySQL. Now you must also create new code and systems to make the application work. Later, the company grows, you are getting a zillion hits, and you decide to buy MS-SQL, Oracle, DB2, etc. Another rewrite of the system ensues.
Strategy 3 : Object orientation and encapsulation: Best.
This old strategy is best implemented in systems like J2EE and ASP.NET, perhaps it works with php5 but I haven't looked in depth into it. With MVC implementations like JSF and Web Forms you can create the views. You then create classes, web services, beans, enterprise beans to encapsulate the bussiness logic and create "linker" classes to interact with the presentation layers. In the database, you create restraints and triggers to avoid bugs and sloppy programming to ruin the data. If the system updates databases, you just change the triggers and restraints. Perhaps change one modular piece of code or two.
It takes discipline to create a modular, n-tier system. But in the end, It is worth it.
My Humble Recomendations
1. Learn Object Orientation and practice until you think and breathe and eat in this manner. Pick a good system like J2EE or even ASP.NET if you don't care too much about portability. Yes, ASP.NET can use MySQL and Postgre gracefully.
2. Learn the specifics of different database system. Some may use LIMIT and others may use TOP. Design good relational models and create triggers and restraints to ensure that the data cannot get in without being perfect.
3. Read, read, read, and practice practice practice.
4. This is the good part. Profit
Just my 2 cents. I am talking from experience, because I have grown from my mistakes. In fact, MANY of them.
I work for Microsoft. I have to post anonymously so I don't get into trouble with management but basically as you all know we are developing a new file system based on treating the filesystem as a database. It's called Cairo. Maybe you've heard of it. Anyway, long story short, we are implementing stored procedures in our database filesystem to make it easier for developers. They will be able to do more with less commands by .netifying everything. See, many years ago viruses were very small like maybe a few hundred bytes. Over the years their size grew until finally in disgust we began including a VB-like macro language in all our products. That helped to make viruses smaller and easier to develop again (as well as required the antivirus companies to license our code to decode our proprietary file formats) but over time the effort required to write a worm or virus for our products has ballooned until it now exceeds what a 15 year old computer dork is willing to invest. But by including prewritten lines of evil code as stored procedures in Cairo we believe that our products will once again hit the sweet spot with our target audience. For example in only a few commands you will be able to write a totally new virus. So don't count us out yet. We are innovating our asses off. Just wait and see.
For the web app I'm working on (1 million hits a day, processes 30 million records every 30 mins, which are fed in from another company via FTP... go figure), we use stored procedures to massage incoming data into a more useable form, usually involving denormalized cache tables and precalculations to lower the amount of data the server app has to request from the DB back end.
It works fine so long as all developers are aware of the nature of the data.
because its not a M1 Abrams. The real problem is that there are so many Abrams drivers out their trying to sell their clients on a Main Battle Tank of a DB when for most DB projects, something faster, lighter, and easier to drive is a better fit.
I personally like stored procedures in SQL Server because the query is pre-planned, so when the procedure is called SQL Server does not have to waste precious time parsing and planning execution for the stored procedure. I have not touched a stored procedure in Oracle for over 3 years so I could not honestly tell if Oracle does it the same way.
It is also nice to get all these SQL queries out of the web code, and it gives its own little bit of (job) security by obscurity, but when it comes to it the main reason I do the stored procedure is because I want the damn thing to run faster.
What I don't like is when people write stored procedures and then they build a dynamic sql query inside, which is retarded since it will have to parse and pre-plan the damn query every time the stored procedure is running!
Pedro
----
The Insomniac Coder
It's a slippery slope...
I used to work for a large web hosting company that wrote there billing software frontend in Delphi, and kept all the business logic in stored procedures on MS-SQL. It got so bad, they even ended up having a stored procedure that generated HTML/Text invoices for customers! Ever tried doing text layout in a stored procedure? It was absolutely nuts, but once they had started putting all the business logic (and much more) in stored procedures, its hard to stop without "splitting the code-base".
They were also scared to upgrade from MS-SQL 6.0 to anything newer for fear of it breaking their stored procedures. They tried at least once and failed miserably. As far as I know, to this day, they are still running MS-SQL 6.0.
This whole issue basically put a strangle hold on the company, it took forever to "innovate" and they eventually got bought out. The new parent company has spent over a year trying to migrate away from this "stored procedure" mess.
I think stored procedures are good, but only in very specific circumstances. If you design and code your application properly, there is usually very little need to start down the slippery slope of stored procedures.
Open Source Time and Attendance, Job Costing a
- If the database schema changes, you don't need to rewrite the application
- Your data are secure and the model is always in stable state
- The operations on the data model are well defined and well optimized. Nobody is reinventing a wheel.
Of course, any business logic has to go to your applications.If programs would be read like poetry, most programmers would be Vogons.
I am in full agreement,
c h.php
SP's are not all they are cracked up to be. One of the major trade offs is that you lose flexibility. for example in order to offer a an advanced search page for say a BBS you might not know ahead of time all the possible variations of your select statement therefore you have to have the ability to construct one at runtime. A good example of such a search tool that would not be possible using SP's is:
http://www.linuxquestions.org/questions/sear
Another reason that SP's are not cool is that they are often a cause of the rift between DBA's (who don't allow app developers to touch the DB) and application developers.
I suppose programming to SP's is like programming to an interface, but for some reason it just feels like they get in the way more often then not.
Sounds like you need some middleware. There are database servers, and there are integration servers, for example WebMethods. They might be overkill in your situation, or might be a big improvement.
Using the arguements for their use in your post, what else do you need to know? They are the best way to go, unless you are doing something that wont matter, or want to do things really sloppy..
But if you are making something that people will actually use, then using stored procedures is the only way to go.
---- Booth was a patriot ----
I know /. uses a db, so could this beneffit it? Ive seen a few error messages latelly, so....
In SQL 2000 you also can use table variables in stored procedures, functions, etc. instead of temp tables to reduce io to the tempdb. This allows for easier manipulation of large data sets with faster output.
I can say from real experience in the enterprise (Implemened the 30th and 60th busiest sites on the net today - MediaMetrix). These COULD NOT HAVE BEEN DONE without stored procs. The level of performance increase is completely non-trivial. YOU WILL GET HUGE PERFORMANCE GAINS - especially when you have a complex AND PROPERLY RELATIONAL db. You CAN NOT use string SQL at the enterprise level like this. You CAN NOT maintain string SQL all over. When you do things like 1 click place an order, register a user, enter some survey questions etc - do you think you can maintain 5000 concurrent users while each are making 5 string based SQL trips????
The level of business logic being embeded in procs can be maintained so you KEEP YOUR REALL OO MODEL. It is KEY from an app development perspective to maintain a good OO model. Everyone acts like if you put ANYTHING beyond 5 lines of SQL in a proc - you are commiting an evil act of embedding 'business logic' in a proc - God forbid. The REAL truth is that you CAN put LOTS AND LOTS of SQL in a proc - have it work REALLY REALLY fast and STILL have a GREAT OO model.
The caveats; you need to have people that write good procs and have a properly structured DB.
" I have no tag line. "
I am have been an Oracle DBA/Developer for more than 10 years. I also got into Java and more hardcore OO programming around 1996ish. In my opinion, from a design and implementation standpoint, the use of stored procedures is extremeley useful to provide an abstraction layer for data access. This is valuable because the stored proc can handle the renormalization of tabular data to best fit whatever object model is used in the application. Simplifies the application and protects it from necessary database changes (normalization/denormalization) in terms of how the object is implemented into tables. The great benefit of this is that it lets dbas and other database developers implement the data model independently of the application! This forces the relational data model design to resources that can program it most efficiently. Obviously there will be a small number of cases where this is not a viable approach to follow, but in general, it is a huge time saver, risk reducer, and productivity enhancer.
Come on, this is a troll if I've ever seen one. A lot of people have strong opinions about this, and tend to lump those who disagree with them in some category of people (e.g. "small website hackers").
I deal with large applications that access large volumes of data in the real world, and I'm not a big fan of stored procedures. But, I use them in a limited fashion.
My personal opinion (and nothing more) is that you start with your business logic (exluding data validity constraints) in your controller objects of your application. Once you're into system and load testing, you look for places where the benefits of a stored procedure really buy you something that you need to buy. "Centralized code" is not a benefit of stored procedures: just the opposite, unless you manage to do your entire application in stored procedures. I also disagree that security is a benefit of a stored procedure. Unless you're dealing with client/server applications (and poorly designed ones at that), there's relatively little difference in the risk of having logic in the application versus in the database, and I can think of a few known exploits that could give somebody a look at your application logic.
The true benefit of a stored procedure is that it is easier to improve performance. Notice how I phrased it, because it's important. Many people will state flat out that stored procedures give you better performance. Not true - on most databases, you can implement optimizations to give you the same benefits (e.g. declaring cursors, using prepared statements and bind variables, etc.). But, databases know themselves pretty well, and one of the quickest and easiest optimizations you can do is to move poor performing logic into the database - achieving the same thing through SQL or an interface can be time-consuming, and you have to have good developers who really know their stuff.
Even at that, I try to tune the logic first before moving it into the database. A lot of "first try" SQL is inefficient, so spending a little time on your more complex querys often allows avoiding having to separate pieces of business logic. Oh, and if you do use a SP, put a big obnoxious comment where the logic used to be with the name of the SP, how it's used, and when the logic was put there. Or don't... it's your system (and career).
There are a few exceptions to my approach of avoiding stored procedures. Bulk moves between databases is one I can think of. But as a general rule, I avoid them during initial design, and use them as an optimization when I have a reason to optimize.
Your mileage may vary. I know many people who have 180 different opinion on this, who are just as successful with their systems. It is possible to make a well-designed, easily maintained system using SPs, but it just doesn't really fit the way I work.
$5 / month hosted VPS on linux = awesome!
Our company standards require we use store procedures. The procedures provide a window to the database and are meant to hide the complexity from the programmer. They don't even get to see the tables. They provide better performance, and you have people who understand the data writing the queries. The database is meant to hold data, not business rules. Keep them in your code. Let the database maintain data integrity. If your concern is to be able to use a different database down the road, then use a data abstraction layer to hold all your code that accesses the database. Use a factory to provide you with the data abstraction object you need. You could have an Oracle and MS SQL implementation of your data abstraction layer. Your web programmer never has to care which is being used. A simple change in a property file can tell the factory which to provide. This approach requires some division of labor, and depends on having the resources available. It also takes more time to develop it right. However, if done right it can save a lot of headaches in the future.
i'm quite unsure of myself about this, though. at the moment i'm working on a budgeting application, and both performance and productivity are becoming an issue.
example: to aggregate budgets over a time period, i retrieve the budget objects for each budget period individually, and accumulate the aggregate data in code. this takes quite a bit of extra coding, and execution time is quite slow, however; doing aggregation queries in the db would certainly give better performance, and it would be a lot easier to slap together some queries instead of writing all that code.
so, the way i look at it, it comes down to a question of science vs. engineering. the scientific impulse is to adhere to the theories of keeping logic in one place, and respecting the objects' ownership of their data. the engineering impulse is to use the technique which is faster and easier to implement.
i guess at heart i'm more of a scientist than an engineer.
i'd love to hear others' takes on this question, btw.
pr0n - keeping monitor glass spotless since 1981.
So, you refuse to source control your SQL because you lost the fight about which source control program to use? People like you make IT suck.
"Source control is rather easy to use with stored procedures. "
Real world experience tends to be that IT depts with functional CM, break down along a division between business software developers and database admins.
Every line of your application code might be meticulously maintained in CVS, while your DBAs don't give a damn about that, don't have to give a damn, and aren't accountable to your IT management.
"but what's stopping a developer from writing his own query rather than using the optimized one you've already provided for him?"
You can do things in a SP that the app connection lacks credentials to do. So what's stopping the developer? How about hard, drop-dead, grant-level security?
-fb Everything not expressly forbidden is now mandatory.
One more thing that I haven't seen mentioned in the comments yet.
Stored procedures allow easy updates, especially if your application is compiled.
You found a bug in how data is accessed/returned from the DB? No need to recompile anything, just give the client a script to run that patches the affected sprocs. Easy, non-disruptive, and fast.
This was a huge timesaver for us and our clients at my last job.
I'm just trying to figure out what: architecting is.
SELECT COUNT(*) FROM a WHERE a.key NOT IN (SELECT key FROM b)
Actually, SELECT COUNT(1) FROM a WHERE a.key NOT IN (SELECT key FROM b) is much faster.
I've been getting 503 errors on and off for maybe a week.
For whatever that's worth
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Like all tools, stored procedures can be used to good effect, or they can be very, very evil. In my experience, projects with people who "knee-jerk" to stored procedures often wind up as train-wrecks, with the engineers begging for mercy-killing. Sure, you can write crap in any language. But it seems that some languages attract the crap writers more than others.
On one project I converted a stored procedure that was an undebuggable mass of 300 lines that took 18 hours to run, and recoded it in Java, using in-memory operations; it ran in a few minutes. Tried to explain that to the developer who wrote it, got a stoney face and some shrugs. Guess who doesn't work there any more?
Any sufficiently advanced technology is insufficiently documented.
Calling SQL from within scripting language,
we don't need SP,.. unless we need workaround,
because of DBMS has missing
basic "must be" features.
Consider example: lack of identity in oracle
(auto-increment ID) required to write trigger
and SP to emulate it.
Another example: lack of timestamp data type
required to write another trigger.
(BTW, even with triggers, it's impossible
to implement in oracle,
but that's another story...)
Third example: lack of *atomic* multi-table update
may require transaction defence line
and SP code around.
On the other hands, do we ever pay attention
that all above is not required when we
operate on regular filesystem with files and just
rely on atomicy and consistency of well-defined
filesystem's operations.
Same was nearly true until MySQL didn't forget
about web-centric usage base
where it was growing from.
Then, instead focusing on benefits of
copy-on-write snapshotting,
LIMIT and caching improvements,
they migrated to "market demands" with cursors,
sub-selects, SP and other attributes of
"respectable DBMS"-es.
As of my personal opinion,
if someone *really* need stored procedures,
person need to take a look onto 4GL,
(for example) Progress DBMS,
and realize there is no any reasons
to return back to any SQL.
As long as SQL is claimed to be
*non*-procedural language (at least by idea;),
adding such workarounds as [stored] *procedures*,
must be considered honestly, isn't it?
If so, why create any standards for
mis-conception at all? SQL-99, SQL-2003,...
Well, well,.. reason is always there: the market.
People know SP-s, people use them,
create more and more workarounds,..
and you have to deal with them sometimes.
Of course, create or not your own workarounds, --
always still been your personal choice.
I have seen an OE system that was written in straight stored procedures(PL\SQL) that did extremely poorly and then large parts rewritten in a Java layer and it did much better. However its not really a fair test because the original stored procedure layer was ultra badly done with lots of needless and badly done abstraction that only slowed everything down.
Good Luck.
It shouldn't have to be a generic good or bad answer to the question. It depends on the circumstances and the context of the problem.
These n-tier architecture argument often overlooked on it's applicability. If you're a vendor selling application, it is wise to make it database independent and n-tiered. If you're a in-house development and has chosen your strategic database and the database is centrally used across multiple applications, SP might make more sense.
Performance importance is also contextual. I work for a bank and the volumns are counted in millions and there is limited window for batch processing. For an smaller online apps it is probably not significant.
If your database is extremely sensitive, there is no substitution on SP. Any security logic implemented outside the database can always be bypassed.
Do all DBMSs have a flat address space for stored procs? The guy above who had 3000 procs in the database - how can you manage such a load without packages or libraries or directories to organise them?
To address the issues of vendor tie-in, what if the stored procedures are written in a common language, such as Java? I know that Sybase and Oracle both allow Java stored procedures instead of Transact SQL and PL-SQL. The J-Procs are basically JDBC code, and would be much more likely to be vendor-neutral. Is anyone in the world using Java stored procedures in these two DBMSs?
One thing I maintain is a database that combines and stores a lot of data from a few different places. This data needs to be combined and have various functions performed on it daily, and stored in a way that the client apps can access it in fairly organized, fast manner, to run reports, add additional data, etc. Stored procedures, triggers, and (ugh) DTS in Sql Server do this pretty well. It would be a lot less efficient to just store the data in its raw form in several tables and force the clients to compile the data as needed. This is especially true as some of the clients have pretty slow connections to our LAN (I believe 56k frame relay).
The answer to this question really varies, depending on what your resources and needs are. There are many variables. It shouldn't be looked at as a simple yes/no question.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
User: bob
Password: x' or 2>1 --
and see what breaks. If you compose SQL on the web page script, the bad guy is in.
Welcome to the cruel world of sql injection. Just imagine if the abuser types in the following for the password:
x' or 2>1; truncate table customers; drop table users; --
All it takes is one page somewhere to forget to trap/escape out bad stuff, and you are hosed.
We make extensive use of SPs, especially in the billing section of the database. And no, not for adding / editing data - just for viewing it.
If we didn't have views / stored procedures, then accessing billing information would be:
a) Very difficult coding - you'd have queries all over the place and you'd have little discrepancies pop up that some manager would have my head roll over. Centralised queries is a very good thing indeed.
b) Very slow. I don't care that SPs are pre-compiled. Being able to use nested views / SPs is where we get most of our speed from.
Triggers I'm not so fond of. They are handy in some small cases, but as I'm sure everyone else will be pointing out, they can make debugging interesting.
Just your typical answer:
For most applications, plain SQL works fine. Stored procedures take more time to write, which is undesirable if you're aiming for rapid development. And they aren't that portable.
I say use them if you'll see a performance benefit. As my pages have always been fast enough, I haven't used them outside of school.
The greatest bottlenecks for many web developers seem to be in their code to read the resulting recordset, following unoptimized samples like seen in most tutorials, or forgetting to index certain fields, using multiple queries where a join would be more appropriate, using the wrong provider in their connection string, excessively concatenating large strings when a string buffer could do it 1000x faster, not knowing to turn on reponse buffering, etc. The kinds of things that lead to multimillion dollar it purchases.
When something isn't fast enough, and you've determined that the database is infact your primary bottleneck, and stored procedures have the potential to give a visible improvement, then and almost only then will it be a great idea to use them.
If you're working on a very high traffic system where RAD techniques no longer apply, and performance is your highest priority, then of course you'll do whatever you can, including planning from the beginning to use stored procedures everywhere they'll help. But at this point I would be considering alternatives to a sql driven relational database.
But what do I know, I'm only 22.
I use MySQL for everything. No need - even for smart apps.
Only victims make excuses
If you allow developers to access database structures directly, every time you change your database structure they have to change every program that depends on that structure. Stored procedures allow you to provide logical interfaces to (generally speaking) physical data structures that can withstand maintenance
efforts.
Try letting your developers deal with transactional and logical units of work, particularly in the OO web applications environment, and you'll find your data severely screwed up. The J2EE methods of dealing with data are not at all the way that relational databases expect interaction. Provide a compatibility layer of stored procedures, and your data won't get hosed and your application developers will appreciate the convenience of not having to deal with transactional logic.
It's a great way for DBA's to enforce logical constraints that affect data management. It also allows them to employ the tweaks and tricks that modern RDBMS's provide. The end result is that those who have the strongest ability to execute well in a particular portion of a project can assume the authority to do what they know best. That can't be a bad thing.
This is the classic DBA vs. programmer argument. Ideally developers can write app code and database code. Our shop made the move a couple of years ago. All, data access is througt sp's, and when it makes sense, app logic as well.
Our applications are *very* fast, *very* easy to maintain, *very* easy to debug, *very* easy to test, *very* easy to optimize, *very* easy to deploy, *very* secure and if need be, we can switch app servers with minimal effort.
Need to change/extend/optimize/re-purpose the data model? No problem. The sp's abstract the datbase structure completely.
A couple of schema changes can wreak havoc on application code. To be fair, they can wreak havoc on database code as well; but it is much easier to manage if your data access is through a centralized api.
We also are careful to divide access to the database by functional roles early on in the development process. This allows us to scale an application with hardware very quickly.
The argument that you are locked into a db vendor if you implement an application using sp's is silly. You are locked into the db vendor anyway, get over it. The fact is you are just as locked in at the app server level. End of this argument please!
If you are a developer and don't know how to write t-sql crack the books. You can't build an enterprise application without sp's, triggers, and udf's. At least you shouldn't in my opinion. Stop whining about sp's and pick up a book! You will learn a lot, create much more robust applications and up your job security a couple of magnitudes of order.
Scripting languages were never meant to deal with large amounts of data or complex data models. Databases are in fact designed to do this exactly. Database connectivity was an afterthougt in almost all web programming languages.
Just my 2 cents. I've been building applications for 12 years. The more I build, the more I rely on this architecture.
all this talk of vendor lock in is bogous. if you write any kind of serious application, i'd defy you to move databases without a code rewrite.
bottom line is you upgrade/migrate your code base far more then you move db servers. that combined with the benfits of SP's makes them a the best choice.
Finished a HUGE project last year that involved, oh, I don't know, about 2,500 Oracle PL/SQL stored procs that were called by a Java middle-tier. About 3 months ago I was told by the PHB that the app now needs to also support MS SQLServer. I'm in the middle of slogging through all that pl/sql converting it to platform-neutral Java database calls. Shoulda just passed on the stored procs from the get-go.
/ ch 19.html
Oh yeah, and apparently there's some evidence to suggest that calling Oracle stored procs from Java is actually much slower than using Java prepared statements and the like. Something about all the overhead required for Java to set up the call or something. Here's a link:
http://www.oreilly.com/catalog/jorajdbc/chapter
*sigh*
Architect not verb. pls use actual words. k? thx.
Not sure whether to get involved in the flaming but there have been some good points for using Stored Procedures; however the conscious choice not to use stored procedures has saved my butt at least once so let me share. Application developed with Perl/PHP4 and Postgres on a Linux desktop box because the NT Admin didn't want anyone playing with his SQL Server baby. Management insisted that deployment had to use the SQL Server hence I developed without using stored procedures. Well four months after deployment the NT machine was hacked SQL Server compromised and the decision was made to switch to Oracle. (Hey I'm just a code monkey not the decision maker) So because I had not used any stored procedures my application was working perfectly after the move to Oracle while other projects were still rewriting their apps. The moral: unstable environments are not the place for stored procedures.
IMNSHO...
Take a scenario where you have to accept data from another system. The data may be structured in such a way that a series of interdependent lookups need to be performed to gather surrounding information that you need to store with the data or to understand how the data relates to already existing data (insert vs. update)...
In one case we encountered (which is one of many) this required a potential of 13 separate database accesses with a minimum of 8.
No problem. I wrap all this up in a proc and make one network transfer and database call from the system accepting the data to the database.
13 network round trips with 13 un-compiled SQL accesses vs. 1 round trip and pre-planned and pre-compiled SQL calls.
Now add in the fact that this particular operation happens half a million times a day and you start to see that in some cases stored procedures can be indispensible in certain cases.
Also, I have found that the security benefits as well as data integrity benefits more than outweigh the small "development time" penalty that they incurr.
One last point: if your writing all your sql in stored procedures you most likely have a dba minding the code and he/she can be much more proactive in maintaining the overall health of your data "ecosystem".
Of course none of this applies if your doing some dinky data based web app, but for heavy data lifting I have years of experience that says I'm right.
Lots of the problems people have had with stored procedures are because stored procedure languages have sucked. Now RDBMS' are giving you the option of writing stored procedures in real, OO languages that are familiar to most of your developers, Java and C# soon if you've drunk the .Net Kool-Aid. If you decide that portability is an issue (most people don't) and you code carefully, you don't have to decide where the code executes (app server or DBMS) until run-time.
What offended me was his strong implication that the two -- PHP/MySQL programming and real DB development -- are mutually exclusive. It's an attitude that I see a lot on Slashdot, and it pisses me off.
:-)
Just:
*) Ensure that your company blows inordinate amounts of money on software with expensive support to cover your ass. It doesn't matter whether it works better, but you should be able to point at someone else to blame if something goes wrong. This also means that you don't actually have to understand the product, and can trust your DBMS vendor's salesmen for all your information, which will chew it up into bite-size pieces and spoon-feed it to you.
*) Act very self-important, talk down your nose to anyone that *doesn't* waste as much money as you, and treat your money-wasting as a mark of pride ("I have a $N million dollar budget this year!")
*) Place "real" before every class of software you work with, and vaguely insinuate that there are technical (especially reliability) failings in any cheaper product than the one you use. It worked marvelously for "real UNIX admins" for years.
*) Mention "Fortune X" frequently. For example "Fortune 500 DBAs with $5M budgets like me use *real* database software -- *we* can't afford downtime".
*) Avoid, if at all possible, knowing anything about software or computers other than database interfaces and possibly a scripting language or two. It's also good to choose a single OS, learn only that, and then slip occasional comments about how other OSes are unreliable.
*) Slowly begin slipping corporate acronyms into your speech. Use "ROI" whenever it's appropriate, and even when it isn't, to make it sound like other people are just slipshod and guessing numbers. "Enterprise class" is also good, since it implies, with only very vague factual requirements, that you work at a larger and more stodgy company that the person that you're trying to put down.
You'll be well on your way to doing "real" database work in no time.
May we never see th
SPs invite use of vendor-specific features, and therefore lock-in and loss of portability.
First of all, is this really an issue? I mean, I'm sure that there are companies out there that actually switch their DBMS at some point, but how often does this occur? Most of the companies I've worked for made a DBMS decision ages ago and stuck with it. It seems to me that a lot of people talk about the idea of DBMS portability as if it's just one of those things you plan for regardless of whether or not you actually have a reason to plan for it. I think it's an issue that becomes a reality only in a tiny fraction of situations.
Also, as another poster pointed out, why would you spend $x00,000 on DBMS product X, and not actually use the features it gives you? The use of vendor-specific features should be, to some extent, the very reason you went with that vendor in the first place.
Just some thoughts off the top of my head. For the record, I'm somewhat on the fence on this issue. I think SPs are essential in a client/server environment (yes, there are still tons of them out there, even new projects), but I'm still debating their use in an n-tiered environment.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
Sorry if this has already been noted, but...
While putting logic in the db can result in large performance improvements (by reducing round-trips between client and server), it can also reduce performance by forcing all clients to contend for a single shared resource (the db).
In a typical client-server situation, you can add compute power on the client end pretty easily. Adding additional horsepower to the db engine is usually a lot more expensive.
Like people used to say back in the old days, when workstations were new: the nice thing about the network is that it doesn't get faster at night.
Just some gossip... but I hear a CmdrNaan might be replacing CmdrTaco soon.
Risk breaking something that someone else is relying on whilst you debug your code.
Create a replica db to develop your stored procs in. But this can be a pain if your application requires sensible data to be in the db.
Piss around creating duplicately named stored procs in the main dev DB.
None of which are particularly great.
If you write an application that needs persistance for it's data model then an Object Database is the way to go. You get to keep all logic in a central domain model, great performance and all the features you need like object level locking, transactions etc.
Fantastic thinking.
You are quite correct there, and that also comes down to the competancies of the developers and software.
Oracle is fantastic data storage and retrieval, and is it great 'business logic'?. Probably not.
Likewise , A DBA is not necessary great at such logic, but a magician at getting and storing the data required for such logics, keeping it safe and as bookishly-correct atomic and/or normalised as wisely possible.
And theres some fantastic coders out there who's knowledge of DB's probably just extends to joins on selects and inserts.
So the DBA just presents a unified interface to the coder via stored procedures, and the coder does his job. The coder doesnt even have to know how the data is stored and retrieved.
OO in action!
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
wow, maybe you should take 5 minutes before you start hacking your code together to talk about your database and the things you need it to do. I know developers like you that hear half the problem and race to their computer to start coding. I'd rather find a whiteboard, draw some pretty pictures, and figure out what the hell we're trying to do first. And you know what, except for the simplist projects (which wouldn't have 2 people anyway), I'd finish before you and work a hell of a lot less.
Things fall down...People look up... And when it rains, it pours.
...is report building/distribution. Build your report SPs, design reports around the SPs with Crystal or something like it, then let users call up real-time reports from a mirrored db with them. The queries are optimized and can be built with indexed parameters for user interaction. If done well, everything runs fairly quickly and, more importantly, no one in Sales can TOUCH data with ad hoc reporting tools. Bad touch, Marketing Drone!
- Jack
I've worked for 3 companies that exclusively uses stored procedures and haven't seen any problems. In fact, the two places I worked that didn't use them and instead used embedded SQL were the ones that were difficult to maintain, especially in the places where the same embedded SQL scripts where in multiple places in the application. One other place I worked for used a special Data Access Layer that had a "Select" method and a "Update", "Insert", and "Delete" method that took parameters and then just dynamically generated the SQL script to execute. It worked well and was low maintenance source code, but a very fragile DAL that was hardly touched for fear of breaking it.
In all, properly used, SP's aren't bad and are very useful. Especially for security and data integrity. I know some prefer to use SQL for multiple database platforms without having to rewrite the SP's on each platform, but in reality, I've never seen a place (not saying they don't exists) that wrote such generic SQL that it would without database-specific changes, anyway.
Thanks,
Leabre
The database is really just persistent program state, right? So why do you have a separate application, etc. for the database?
When you start putting constraints, triggers, etc. on tables, you are already sliding down that slippery slope. Whenever you have a slippery slope, it's a clear sign that a new way of thinking is neeeded.
Why not write the whole application in the database? The stock answer is that the embedded language is not insert adjective here enough to run my application. Why does this have to be the case? Why can't a powerful language have its own database? Why do you have to retrieve variables from the database? Why can't the variables just be in the database in the first place?
Imagine perl tied hashes, but you can also do SQL queries on the same data if you like, no performance penalty. Why not?
If the inventors of motorized vehicles had gotten stuck in this same brain-rut, we would be driving horse-drawn carriages pulled by mechanical horses, instead of automobiles designed from scratch to use engines.
Yesterday we saw that the filesystem is the database. Today we see that the database should be the language. See where this is going? Go read As We May Think again. Prof. Bush is still out in front of us. There's no operating system. There's no file system. There's data, there's the user, and there's the glue (a language) that binds them together. Everything else is just artifacts of the haphazard way we implemented it.
First, I think that stored procs are not only often good but lead to better, more powerful, secure, and flexible applications that would be feasible without them. But on the other hand, they lead to hard to maintain applications which are explicitly tied to one database. So they are necessary but often misused.
Triggers are more important and usually use stored proceedures to ensure that the information in the database is always meaningful or that some other automated activity happens on an insert or update.
Unless I absolutely have to, I try to avoid having my application call stored proceedures directly. A relational database manager *should* be able to hide the stored procedures behind a view allowing a nice standard interface for your data. This means that if you have to move to another RDBMS later, porting is much more simple and mostly confined to the backend.
BTW, I agree with the points about having your business logic in one place. Stored procedures allow you to move business logic which is inherent to the database into the database, thus making it available from all clients regardless of the language they are written in. For a single app/db pair this is not an issue but if you have a large DB with many different clients, it is a larger issue. Maintaining your application in one location is a LOT less work than reimplimenting it all in every one of your apps.
Triggers, BTW, as I mentioned before are very powerful mechanisms. They are not called by the app directly but are run every time a row is inserted, updated, or deleted (some RDBMS's also allow select triggers, though some have alternate ways of implimenting this). They can be used to impliment additional security restrictions, enforce referential integrity, or more advanced stuff such as send email when a new order is added to the database. Again, this is done regardless of whether the order is filed using a web app or a Windows app for the rep in the call center. Since the logic is unknown to the app, it isn't even aware of what happens after the order is placed. Talk about clean interfaces..... This requires stored procedures.
So, these are the great things about stored procedures. But when they are used badly, you end up with the stored procedures reducing the agility of the application because they tie it in too closely to the database. What do you do when your app is tied to Sybase and your customers want MS SQL Server? What if *all* your logic is in that database? Do you rewrite *all* of it for MS SQL Server? Probably Not. You are stuck and out of your investment.
In my opinion, it is important to maintain a clear line between what is the database's job and what is the application's job. If this line is blurred, bad things can result. Stored procedures are a very easy way to blur this line.
I design my apps with the following layers to them:
UI
Application-specific logic
Database Access Layer
Information Presentation (SQL API using views)
Information Management and Data Logic (usually stored procedures)
Information Storage (highly normalized, usually).
This allows the database to be a server app in its own right, and the client logic to run in the apps themselves. HERMES (see my sig) is mostly built this way, but there are a few things I need to change before I am happy with the interfaces. This is one reason it no longer supports MySQL.
LedgerSMB: Open source Accounting/ERP
As for the argument that programmers don't want to do it becuase they are 'only java programmers' or only 'visual c++' programmers, that's bullshit. Programmers write code for a living, they need to learn whatever language it takes to get the job done. I do, and everyone I work with does.
Speak for yourself.
It's funny how a lot of answers use the explanation "put the data in the database and the logic in the explanation", like there is only *one* application talking to your database. So it's not really an enterprise database, rather the data of an application... Real databases have tens or hundreds of different applications talking to them, written in different languages, with different aims and different bugs. Better to centralize the checks.
In my personal experience, I use a lot of PostgreSQL triggers to keep tight consistence of my database.
"It is more complicated than you think" (The Eighth Networking Truth from RFC 1925)
I've used Sybase stored procedures before on a project i worked on. I thought the idea was great. The project was split into two different teams. Team A worked on the Database and Business logic which went into the stored procedures and I was on team B which was in charge of writing a UI for the system. For me stored procs where great because it ment i didnt need to know heaps about the tricky business logic and i could just do what i was ment to be doing, I.e pretty UI.
It's was a good seperation of skills for this particular project.
Giving IE users a taste of their own medicine since 2005 - http://pods.-is-a-geek.net/
There's at least one situation where stored procedures are a big win over prepared statements, or pretty much any other approach: where bandwidth is a factor. A stored procedure can invoke a number of statements, and then iterate over result sets and the like, all without involving any round trips over interprocess communication lines.
Granted, a lot of times folks think they can only do something procedurally, when it's actually possible to do something relationally, but not only can this be really ugly, long, hard to understand, and buggy, but sometimes it's not even possible to do in straight SQL!
If performance doesn't matter too much (like when you're driving a Web page and a second or two to render the page isn't going to kill your app), or where you have abundant bandwidth (same machine, or a very fast LAN), then sure, there's no huge performance benefit to keeping complicated database manipulations in the backend. However, if you're driving your app over a laggy line with minimal bandwidth (say, a satellite link), or you're doing a large volume of transactions where processing power is relatively cheap, while bandwidth isn't, then this approach is indicated.
Notice all of this is conditional on certain circumstances. Like all things relating to database operations, it all depends on what you're using it for. Almost everything a database has is useful in one context or another.
It all depends on how you want to view your database. Fundamentally, you can look at it in two ways:
a) It's a persistence mechanism. At root, this is fundamentally what databases arose from. It's a fine way to look at the issue, and one that personally appeals to me. In that case, don't use stored procedures, but use triggers and constraints to ensure database integrity. Your access to the database should be through class loaders (in your language of choice). Don't try to get tricky with the database. Its job is to persist object instances and load them. Essentially what you are running is an OO database that actually works, since relational databases are - in practice - stunningly robust.
This the the normal 'application' use case.
b) The database is the company store of information. The understanding is that many applications will be written by disparate groups to access the data, and those groups will certainly not be willing to communicate and may not even know the other groups exist. In that case, for God's sake, make plenty of use of stored procedures and encourage their use. Stored procedures are the API to the company jewels, and are the only thing that allows changes to be made to the data structures.
This is the normal 'IT / internal business' use case.
Decide which category you are in follow that model.
(There is also the use case of the application with performance requirements that require the use of stored procedures. If you are in that situation you already know who you are.)
In the same way people swap car brands and jam brands, people will want to swap their proprietory DB brand. You use their stored procedures, you tie in. They have you.
Do other databases systems give some other options as far as the language you can use in a Stored Procedure (SP)? For instance, perl, python, java? Most of the database programming I've done is for one object database or another (GemStone/S, Magma, MinneStore), and while there is no special distinction for a SP as such, I've created similar structures to obtain the same benefits as are described here.
But then again, in these OODBMSes you don't query with SQL or anything like it- you just query in the language you're coding in, which ends up to be completely seamless and very slick. Well, it can be a pain in the ass in less flexible languages like Java, but in Smalltalk or Common Lisp it's a dream, I like it a lot more than SQL.
So, do any DBs allow you to write your SPs in a something other than PLSQL or T-SQL or some other SQL-based thing? It'd be slick if you were coding your brand-new web-app in Perl 6 to just write your SPs in Perl 6 too, perhaps with inline SQL statements. And you could still call it from any other langauge presumably, just like a regular SQL SP.
Just me wondering...
Working toward a usable PDA environment in the spirit of Newton OS: Dynapad
In many of our projects, we put all logic into stored procedures (packages) in an Oracle DB.
Although the vendor-lock-in is definitely not desirable, the advantages are strong: writing business logic in PL/SQL requires less code and is more readable than any mixture of SQL and Java or other languages. We never ever have to worry whether or not a number(14) fits into an integer variable. Using stored functions in SQL statements is much more natural if the rest of the logic is also in stored procedures.
Some of our programmers need only PL/SQL-skills, only a few are required for the surrounding framework.
These days, so long as you are using a real language, you can find really good tools to perform persistence automatically, freeing you to have a wonderfully tidy place to put your business logic.
Having said that, it's not cut and dried. Stored procedures allow you to perform logic on your data. And if you use it for that, i.e., Data related logic, then you're fine. If you intrude into the world of business logic sitting in the database, you're going to run into problems very quickly... no extensibility, harder to test, etc.
So:
- Make sure you're using a language that allows you to perform logic somewhere that is not a stored procedure and not a script inside an HTML page
- Understand the difference between business logic and data related logic
- Do your best to understand the potential for you to want to alter databases
Then find your happy medium!dominionrd.blogspot.com - Restaurants on
The SP may or may not substantially raise load on the central machine. You seem to assue that SQL issued from the middle tier takes less work than SQL issue locally. The reverse is actually true. In addition, SQL from the middle tier has to push the rowset over the centralized machines network interface, which can be a very slow operation relative to local memory access, and uses a shared resource. You only get a resource savings if the data can be cached in the middle tier are reused enough to eliminate subsequen SQL calls to the server. For data accessed with low frequency and high volume, this is mostly a losing bet.
As for using vendor specific features, you aren't considering the ROI. By coding to least common denominator SQL capabilities, you are wasting your users time, because the vendor specific features make a big difference. In an enterprise system, nobody gives a crap about theoretical niceties like portability of the RDBMS. They want the thing that helps them do the company's core business process faster and better. And since the latter is what pays your salary, you will lose that debate every time.
SPs are text and can be version controlled as easily as anything else. That's two people who have made this completely moronic argument today.
Why do you call SPs "premature" optimization? What's premature about it? It doesn't take any extra time to code in the SP language (in fact for data-centric operations it's often easier).
I like stored procedures especially for one reason- They are targeted towards munging data within a relational database, and they do it damn well.
Take for example PL/SQL. Now there are damn lot of quirks in the language, but its base is rock solid. The in-built exception handling, oracle specific features just rock. The Data is stored relationally, and the best language to leverage it is the DB's own language.
Each DBMS has its strengths and weaknesses. For eg, a T-SQL developer would keep creating tons of Temporary tables to accomplish a task, which Sybase or SQLserver can execute effortlessly. The same cant be said of Oracle, in which DDLs are expensive, and a different technique has to be used. If the whole thing is written a middle-tier language, the performance most often sucks.
Having said that, I would really love a Open standards - Business rules language specification, with just one goal- to manipulate data in a relational database. A translation engine can convert this spec to optimized PL/SQL/T-SQL/$SP language. This should keep both the DBAs and the Portability gurus happy.
Headaches are better than being stupid and having found out you've screwed up later on. Obviously he's got some sort of marketable skill in that area, or he wouldnt be designing the database. He's asking the question in order that he may bask in the collective wisdom of many hundreds of geeks, and their songs of databasery resounding through the halls of the frozen server room of life. Obviously.
SRSLY.
You might as well ask if using shared libraries is a good idea.
MrCreosote Meow!Thump!Meow!Thump!Meow!Thump! "You're right! There isn't enough room to swing a cat in here!"
This also caused a problem because there was one instance where they wanted a stored procedure to be able to dynamically create an SQL statement to do certain things the user wasn't authorized to do, and while a stored procedure could create dynamic statements, the SP would only run with the priveleges of the user calling it, even though it was saved by a user that had admin priveleges. This was a safety and security factor and I thought was a good idea.
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
YES!
It is still relevant. You need to keeo your business rukes, database, and interface as seperated as possible*.
Security, reusability, readability, maintainabilty all demand it.
Security - You can encrypt stored procedure, and it's another layer someone has to get threw if the are trying to gain unauthorized access.
Reusability - If you have your data access broken down into Stored Procedures and triggers, the next time you need to do something similiar it will save you time.
Readability. - The code will be easier to read. You have an interface issue? now you don't have to wade through thousands of lines of data code to get to it. If it turns out to have been a data issue all along, you will find out a lot faster if it is a stored procedure.
Maintainability - You need to change some data rules? now you just change a stored procedure. This means your risk of an unexpected bug is much lower, and it's easier to rollback.
*There are some exceptions. If you need a phone number with an area code, thats a business rule. However it is so trivial you could put it into the GUI interface.
The Kruger Dunning explains most post on
In a perfect world, database vendors would be using the SQL 99 standard rather than sticking with SQL 92...
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
I ahve done a lot of database work, and I have never seen anything that bad. The strongest arguement for stored procedures come down to have the data access seperated from the businesss, and GUI code. Onces they started putting business logic in it, they violated the whole point.
"Ever tried doing text layout in a stored procedure?"
yes, lots. Not really that hard.
The Kruger Dunning explains most post on
There is no database with data and logic.
There is web form on user's fingertips, and distributed services behind the screen, with distributed transaction's processing, messaging between nodes, and data distributed across the globe.
Any DBMS-centric (read Oracle-centric or MS), is truly artifact of pretendors on the role of big brother.
Err...bad. No wait..good. No take that back...err... I am confused.
There are certain things that cannot be parametrised such as joins across databases. We keep our archive data in a seperate database on the same server. The only way to access this via a stored procedure is via dynamic sql.
by putting the logic for the common manipulations in the database, you can more easily use the data from many sources. Like say a java app, perl app, etc. The point is by not accessing the data directly with sql every time, you can reuse the data and logic for it in many front-ends... call it encapsulation, call it MVC principle, whatever you like, but it just makes sense. (The caveat being able to easily work on that code you've stored and not treating them as macros)
--------------------------------- Born Again Bourne Again Believer: New Life, GNU/Linux Be Free!
and i can see that the 8,000+ character SQL query i wrote for MySQL last week could have been very much simplified by replacing large portions of it with stored procedures. it's a feature i could have used, but it wasn't necessary.
of course, the query itself is a maintenance nightmare, and that's the way i like it. it was a contract job, so they'll *HAVE* to come back to me if they need to update it or move it to another platform.
that said, i'm wishing i would have had the opportunity to learn how to use SPs. the query on its own was an incredible learning experience for me, and i can truthfully say in job interviews that i can do amazing things in SQL if needbe.
i can see where SPs have their place. i can also see the arguments against them quite clearly. in fact, i would go so far as to say that if portability is at all your goal, reduce your SQL code to the bare minimum, dynamically generate them and never touch SPs. not all databases support SPs, and of those that do, not all support the same standard subset. MySQL and PostgreSQL are prime examples: MySQL has no support in the current releases, and PostgreSQL supports Python and Ruby, which few (if any) other databases support.
(for those curious, the query i'm specifically talking about was designed to generate the Calendar section of a local periodical. i chose to do it entirely in SQL both to strengthen my SQL skills and to stress my knowledge, abilities, and my locally installed MySQL server. so, the query returns four fields: the calendar category [exhibits, film, community, etc.], the event date [of the form "[THU|FRI|SAT|SUN|MON|TUE|WED|THU] xx{(, | - )([:DAY:]|[:MONTH:]) xx}"], the event title, and description. needless to say, the date field quickly became quite monolithic and complex, but i had a hell of a lot of fun doing it, and learned a great deal about MySQL, Apache [which i had to reconfigure twice to be able to use phpMyAdmin to test the query], and the SQL language itself. i'm a better programmer because of it. mainly because i know never to do shit like that again. ^_^)
grey wolf
LET FORTRAN DIE!
I'm a java guy and I've done a couple store procedures in Oracle.
I understand the benefits in term of performance of using store procedures but IMHO they are not woth the trouble (unless you can't do otherwise: ie: you would have to send too much data to the client).
I prefer to have the code in Java classes because I can organize the code better! Code organization for big projects in the problem number 1 (if you want to understand you application of course:-)
With the modern IDE it's simple to localize code and that's an added benefit when you have access all you application code in a centralized place.
Since the focal point is the webserver, shouldn't security be done there, rather than the DB?
Security should be done in every layer of the system. If you only did security on the web server, if crackers are able to compromise it, getting into the database is simple at that point. But if they can only run stored procedures, they then need to find a hole in the database which halves the likelihood of getting in.
Of course there are all the costs of maintaining the extra level of security. So you have to consider the cost/benefit of the security you put in place.
I understand some people use SPs for everything, as a security measure. I'm not that paranoid.
Stored procs are great, though, for processing lots of data on the server, without wasting resources (network bandwidth, client memory and CPU) sending the data to a client for processing and then posting results back to the database. Even if you have to do record-by-record processing instead of set operations, it's much more efficient to use a cursor on the server than a loop through a resultset on the client.
Stored procs are good at encapsulating a series of operations done periodically, such as end-of-month processing. In some databases you can define an event on the server that will automatically fire the SP. With such an event on the server rather than on a client machine, you don't need to worry about whether the correct client is running and connected when the event is supposed to fire.
Complex reports often require more data crunching that just a single query. I use an SP to process the data and leave the results in a temporary table. My client program runs the SP, then reports with a simple SELECT on the newly generated result table.
I am not too fond of over-use of stored procedures. However, they can come in handy in a multi-language environment.
But one thing they usually are missing is (optional) named parameters. Named parameters make it easier to add parameters in many cases because you can add an option without having to change a jillion existing calls. I suppose that optional fixed-position parameters sometimes can do this, but if you have lots of parameters, it can get tedious to match positions.
Table-ized A.I.
I didn't like 3.1, and XP does suck. The core philosophy of windows has been inherited:
1) taking stuff an admin should be doing, and giving users simplified access to it, while removing any of the complex options that a good admin needs.
2) a by-product of (1), but important enough to mention seperately: ignoring security etc. in favor of simplicity.
3) fundamentally single-user.
4) code that's so fundamentally flawed that it even looks ugly when you're running it.
Of course - GOOD. And one more argument - this way you can truly separate code from presentation. This is the same way MC(C)V systems work. Let database handle all "this-id-is-not-allowed-to" issues, this will make the code of your presentation layer smaller and easier to debug.
Of course, you will still have to debug triggers/procedures, but believe me - it's worth. And - if the word SEPARATE doesn't convince you, think about the word REUSE. You can apply policies on the database side, then wrap it with PHP, Perl, Python, C, Java - whatever you want.
Just finding inspiration, well, that's my excuse
"[snip]At one time we had a client/server architecture so those three advantages were relevant. However, in the past 4 years we have moved everything to web front ends and I have argued that this is no longer true. Does it really matter if my business rules are centralized in stored procedures or in a set of php/asp scripts (ie, in the web tier)?[snip]"
You've argued this because you've only been around for a we fraction of time and have never watched technology change from one generation to the next. If you stick the logic in the database, what is the cost of developing a new platform or changing web technologies? What's the cost of change if you don't put your logic in the database? In five years, are you going to assume your PHP code is a tomb of business process logic that can be trusted because its logic has been segmented and acts independently from data presentation hacks or frufy one-off hack jobs?
"[snip]Since the focal point is the webserver, shouldn't security be done there, rather than the DB?[/snip]"
Web software is a moving target. For every platform, web program, service, etc., you have to enforce the same set of rules. Stored proceedures are to databases what functions are to programming languages. Use them or your business will suffer from inconsistencies ranging from data management to more serious problems such as data access and theft. I bet companies that process credit cards or people who work on medical records probably have strong and justified opinions on the topic of data security... think the cost of implementing consistent database proceedures is bigger or smaller than the cost from a screw-up that lets the data walk out the front door?
You mention MySQL in your post... use a real database such as PostgreSQL for two months and let me know how your opinion on databases has changed at the end of your trial run. Compare and contrast this experience with your experience stemming from application development with MySQL. If you think MySQL in its current state is still a valid core for an organization at the end of that duration, you obviously suffer from some form of brain damage.
I regularly freelance for projects where we have one template programmer, one middleware programmer (me), and one DBA. With the same team, we've tried projects with stored procedures and without. In general we've moved away from sprocs.
The first time we tried sprocs, we basically treated them as functions. I would pass in a bunch of arguments (db column contents) to sprocs that would insert a new Activity, for instance. This got old very fast. It was much faster for me to write the business object that would insert itself from the middleware layer, than it was to wait for the DBA to create the sproc, after which I would have to create a middleware layer to the sproc anyway. It also didn't make financial sense for the client, because DBA's usually charge a higher hourly rate than middleware programmers.
The other sprocs were ones where I would supply several search criteria to a sproc (basically portions of a where clause), where he would assemble it into a sql query and then return the result set back to me. That was a bit more useful, but ended up kind of silly too, because it wasn't efficient to involve the DBA in actual application logic - we kept on having to go back to him whenever someone wanted to add a new dropdown to the search form.
If you're been an intermediate programmer, you've painted yourself in the hellacious corner of trying to dynamically generate a sql query that may or may not join across multiple tables. It ended up being a lot easier for the DBA to simply create a view for each family of search queries. Then I'd assemble the sql query on the middleware layer. Easy then, because I'd never have to worry about dynamic joins - the view would already have the joins, and I'd only be querying against the single view. And if there was a query change, I wouldn't have to involve him unless is actually required adding new columns to the view.
Right now the complexity of our projects don't require the remaining cases where a sproc would really make a huge positive difference. One such case would be a multi-step atomic transaction where we were worried about performance. A sproc would be perfect for that. But in general you can do just fine with inserting into tables and selecting from views without having to deal with the cost of having a significant amount of your project in sprocs.
Finally, an important tiebreaker between having logic in sprocs and in middleware is a pragmatic one - system resources. If you're making a lot of changes, you're going to be dealing with source code management - trunks, branches, and multiple staging installations. It's much easier to do this with your code repository than your database. With ost companies I've worked with, it's a lot easier to set up a new vhost for a code installation than it is to set up a third oracle installation. If you have a lot of quick changes to make, it's easier to make them in the codebase.
Beyond that though, it really depends on the team. If we had a full-time DBA rather than our 10-hour/week guy, and a less competent middleware programmer than myself, and a project with more fixed requirements, then we might defer more to sprocs. But our DBA is swamped, our projects tend to have ever-changing scopes, and I'm quite comfortable with MVC and keeping the control layer thin, to be able to respond quickly to the scope changes without having to majorly rework business objects on the model layer. It works well for us - and these are for large scale bank intranets, not simple little webapp one-offs.
Many people that know too many buzzwords think that "the business object layer" by definition MEANS the database and sprocs. It doesn't have to. It can just as easily mean the Model layer of an MVC middleware layer. With my work style, it's faster to leave it there and then use the database for storage and data-level calculations that can be embedded in the queries themselves.
skkkoooonnnggggkkk ptui
If you really have to figure out undocumented code you are going to follow the path, so if a function is called and you don't know what it does you look up the function and see. It is a nightmare but at least it can be done. Stored procedures add hidding function calls. You don't see it. Sure it can be figured out but I see the world divided in to two groups. Those who use stored procedures and who never have to figure out someone elses code. Those who do. The first like stored procedures. The latter hates them.
I like the three tier approach. Seperate presentation from business logic and storage. It is kinda unixie. Small applications that each do what they are best at. Databases are not programming languages.
Of course it is easy to use stored procedures as it enforces database rules, it is much easier to use myscl auto_incremenet feature then to write your own code to make unique ID's. However if you were looking at the code and you are any good at programming you should be wondering were the hell that ID number is filled. As said it is bad for a programmer when variables just change value without it being reflected in the code.
But of course this is just from my experience and from being taught by people who didn't like stored procedures. Others will have been raised differently and be capable of giving excellent reasons for their use. I think the only way to reach a compromise is for the code to reflect exactly via comments when a stored procedure will be called. Comments in code that are usefull. HA, that will be the day.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
'They let you abstract data access procedures.'
Still I don't recommend using them, because I know there are better ways of reaching the same aim.
Same thing with stored procedures.
1. Opposite day on that one, SPs decrease the load on the server by increasing its efficiency. That's kind of the point.
2. Vendor specific sql is unavoidable anymore.
3. You can version control SPs like any other code, and maintain them within your codebase if you so choose.
4. Anything can be over-optimized. But tiny improvements in speed can make a huge difference to the user experience when the query load is heavy. It only takes 10 100ms delays to add a second to the user's wait time. Maybe your 1000 SPs were created with that in mind.
Also, I don't understand all these guys saying "let the database and the business logic each do what they do best" and then coming down against SPs. SPs allow the db server to do what it does best, and then hand off a final dataset for the app logic to use (to do what it does best). With SPs you can take advantage of the folks that designed your db, who know a hell of a lot more than you about how to optimize for performance on the thing.
Just curious... why the choice of a temp table versus directly returning the results to your client?
(to partially answer my question is this a matter of amount of data transfered, or based on your choice of language/architecture... the temp table is easier to manipulate then storing locally?)
thanks.
The company I for deals with major UK power companies and a lot of them now have a policy that all internally developed systems use Stored Procedures for security purposes, although they are no yet forcing this on externally purchased systems. Obviously SP's are important for security but there are times when dynamic SQL makes things so much easier. For example, imagine you have a form that shows the details of all of your stock. You might want to throw all different kinds of queries to get the information you want. e.g. "Show me all items from electrical goods made by Phillips that cost under £300." or "Show me all kitchen products that come with a 2 year guarentee" These sorts of queries need flexible WHERE clauses. In our applications we use a flexible Where Clause generator I created. You just set the constraints on the WhereClause object and it generates the necesary SQL without lots of messy if-then-elseif type logic. How would you do the same thing in a stored procedure? Lots of if clauses? Writing a flexible clause generator in SQL? I'm sure you could do it some way but it think its a lot neater doing this sort of thing in the application.
This depends very much on your application and dataset. The one I look after has a small but actively used dataset (less than 1GB is heavily used) and regularly nearly fully uses the CPUs in the database machine. Moving load off the database (and, indeed, caching data elsewhere where appropriate) is the only way to survive in these circumstances (bearing in mind that buying better database hardware or software is not an option thanks to the cost).
If you're doing the same SQL query from a hundred different places then I think you've got more fundamental problems than a few bits of poor SQL...
Using a database properly is about more than optimizing queries. Everything from system architecture to the detailed behaviour of this or that object affects the load on the database and the quality of its structure. Using a database properly is also about designing your application appropriately and choosing what and how it uses the database - not just how it expresses those things in SQL.
Yes, you probably want a layer which is responsible for accessing the database, enforcing security and implementing business logic (or, at least, business logic relating to persistent data). This layer can be a set of stored procedures or it can be a middle layer which the rest of your code accesses (or both, if you've got a very good reason). Whatever you choose it DEFINITELY needs to be written by someone who knows about databases (and, in case you hadn't noticed, DBAs are not the only people who know about databases).
These debates are as silly as they are pointless. Stored procedures are an important tool within a SQL database. They are part of the SQL standard and should be there. Trying to say they are good or bad is like asking if a socket wrench is good or bad. There is a lot of overlap between what can be done in a "business logic" language, like Java or VB, and what can be done in a SQL stored procedure. Like all "gray area" arguments, the simple problems are a matter of choice as to where you want to solve them and which method is easiest. In the "real world" "real problems" often dictate where they must get solved. When you need a stored procedure, it sucks not to have them. That is why I NEVER use MySQL.
There are very few experiments let alone developments advancing this direction.
Seastead this.
I coded tons of stuff in PL/SQL, back in the good ole days days I worked with Oracle (sigh). Despite its limitations, it's not a bad language for business rules, and I did pretty complicated stuff with it. :-(
Now I'm forced to use stored procedures in MSSQL. I hate the T-SQL language with all my guts, and I wish I could have a dime for everytime I told my team we should be dropping them and favor business logic in the middle tier. But they love that crap, so I'm mandated to use it, too.
Looking back now, I realise that my extensive use of stored procedures and triggers really wasn't a good choice. They tend to complicate the databases and make them hard to understand. I favor a clean object-oriented or service-oriented model (depending on the domain) on top of a vanilla relacional model, with thorough and well-thought use of integrity constraints.
An example:
Some years ago I wrote a system that imported a massive amount of data to an Oracle data warehouse. It envolved parsing some weird binary files and stuffing some tables with data every single day by 2AM. The data had to go through some complicated calculations before being stored.
I wrote a program in C++ that parsed the files and called some stored procedures to do the business stuff. The parameters for the calculations were stored in a dozen tables with some thousands rows. This took 5 hours/day when the system was designed, which was considered acceptable.
A year later, due to business growth, the system was taking 21 hours to do the import. This had to be fixed. For days, I reviewed all of the PL/SQL code I had written, and found nothing that could be optimised. I ended up reviewing all the database parameters (IANA DBA) and ended up shorting the processing time to 12 hours, which is barely acceptable. If the daily data volume continues to grow, a major refactoring is to be done.
One thing that occurred to me was to change the business logic from PL/SQL to C++ and do all the calculation stuff inside the parsing program, using some tricks. The program would load the parameter data to some hash tables and other data structures and perform all calculations this way. I think I could save a lot of processing time this way, but the business logic is so complicated that I cannot possibly do that without creating another project from scratch. The golden rule is: "If it ain't broken, don't fix it", and the business logic in this system is one of the triumphs in my engineering career. Since the day it was written, it never had a single bug, not even in the testing phase.
Sorry if this has already been mentioned... haven't read all the replies yet...
I suppose this doesn't apply to thin client applications, but I work on a thick client application and at the minute, most of the business logic is in the client. Whenever we ship a bugfix or new version, the client has to go round and update dozens of machines with the new EXE. We made this a bit simpler by writing a program that sucks new EXEs out of the database and replaces the client app, but it's an optional extra and people don't like paying for stuff.
I recently did a major enhancement and put all the business logic in the database via triggers and stored procedures. The only code in the client app is used for viewing the data the database business logic produces. If there's a bug, we ship a SQL patch to update the database with the new trigger/stored procedure. No wandering round updating EXEs. Clients love it.
Word of warning: If you're putting business logic in an Oracle database using triggers and stored procedures, keep the triggers as small as possible by putting common code in stored procedures. When the database boots, it compiles stored procedures and functions, but not triggers, which are compiled when the trigger is fired. If you've got a large trigger getting fired frequently, your app is going to grind to a halt pretty damn quickly. This might have been changed in Oracle 9i/10g (I'm using 8i).
It completely depends on the requirements.
#!/
I'm not proclaiming that .NET is the answer to our problems; however, Microsoft has made a good step in the right direction with .NET. With a few changes in lines of code, you can switch data source types.
I know the above is a bit vague, but as we move into "more managed" code environments (which is where we're headed), programming language interface with the hardware and other software products will become much easier and robust.
The JVM from Sun was just the beginning; .NET is version 2.0. I'm excited to see what's coming in the next 10 years.
In the past 10 companies I've worked for I've never worked with a DBA that was not a complete lying tool. You forgot to mention that most only use TOAD/SQLNavigator because they don't actually know database commands.
Stored procedures solve a problem that predates languages like Java and C#. Once upon a time, you built client server apps using a client built in C, C++, or (god help you) PowerBuilder or VB. Database code either had to go in the user interface or the database. There was no other choice. So, to centralize business logic, stored procedures came about and people began placing the logic there.
In a three-tier or web architecture, stored procedures have no place. Centralize your business logic in business objects on the server. This makes your application independent of any underlying table structure or persistence mechanism. You can get the speed of stored procs by using prepared SQL in your database mapping code. These days, you can use mapping tools like JDO to avoid any database mapping code.
Where stored procs still have a place is inadministrative functionality, such as background batch processing. That's it.
Disclaimer: I am a DBA
"In addition, you either have to have a dedicated T-SQL or PL/SQL coder who then is the weak link in your coding chain, or your pool of developers must become fluent in both your scripting language of choice as well as the SP language. I have experienced both of these approaches and found this to cause bottlenecks when 'the database guy' is unavailable and learning curve problems (bugs) with new coders getting familiar with the db language."
I've seen the SQL our Java Developers write *shudder*. Seriously, sounds like resource (i.e., people) allocation problems. I write all the sps for our web apps (Oracle's PL/SQL), and would argue that putting it in the db gives you:
1. Better speed because the DB is made for munging the data, and it's one trip to the db server. The DB Engine is processing all the SQL anyway. In the days of CGI and Cold Fusion the db was the fastest place to put data manipulating code (including selects) and it still is.
2. More security through secured passwords and roles (password protected). Commercial RDBMS support things like login-triggers and 'Virtual' Databases within the db to limit data access.
3. Arguably simpler maintenance/enhancements. If the logic is on the db side, and you need to make changes, you have one point to run your changes - depending on the scope, you may not even need to re-compile/re-deploy code on multiple app servers. Using Java to store business logic guarantees that I have to a) 'nicely' drain all servers of active sessions b) take each server offline, redeploy the java c) bring each one back online. A process that will take hours. My maintenance window for db changes typically takes 15 minutes (often less).
4. Freed of SQL tasks developers can focus more on application design and GUI performance.
FWIW, PostgreSQL implements Python,Perl, and C as stored procedure languages, as well as several others. They aren't automatically installed, you have to add them yourself; however, that would mitigate the proprietary language problem in SP, as well as simplifying the learning curve for most developers.
That's two people who have made this completely moronic argument today.
You're such a moron.
... there's that cool murky middle ground, where you don't put project-specific business logic in the stored procedures, but you do create generalized stored procedures (e.g. can be easily applied to other data sets/projects) that support your programs. Of course that still means porting stored procedures if you change database platforms, but not as many as in the extreme case. It's a fine line.
When you ask "what's the best..." you always have
to give your assumptions. If you asked "What's the
best cutting tool" you'd have to tell me if you
were going to do surgery with it, or chop firewood.
An axe is great for one, but terrible for the other,
and vice versa.
Are you trying to get the 'best' application for
the users, or for the programmers? What makes
it best for users might make it harder for
staff to support. What's your budget? If the
best choice is to rewrite in 'X++' will they
pay for it? Are there language and support
availability constraints? Will someone there
dictate to the programming staff that they must
use Microsoft products? Will they refuse to use
'X++' because support staff is hard to find?
It's hard to get someplace when you don't know
where you're going.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
A point I haven't seen mentioned is configuration management. In a disciplined team any member knows where to go to get/inspect the code that the app is executing.
Years ago I insisted that the developers work in SQL stored procedures so I could see exactly what they were running / testing in our app. It was amazing how often the code that the developer thought we were testing wasn't what was in the database. Using sp_helptext on the procedure I was able to defuse many "testing errors" as "configuration management" errors.
In later groups I've been more adamant that developers and testers and the project lead follow a configuration management scheme. Whether the code is in the database or the app, interpreted or compiled, I want to know what we are running / testing / developing.
This is a great question. I have read a lot of responses here, and for what it's worth I have been writing complex database applications requiring high performance for ten years.
:-). The classical example of this is if you have a particular process that is going to require mulitple scans of most of the rows in a relatively large table but that only returns a limited amount of data, then what you should do is design a stored procedure that does the table scan once and collects all the data along the way. The performance imporovement will be out of sight. Particulalrly if the data is used in a client server environment.
Stored procedures are critical.
First, they are critical for situations when you, as designer, know a piece of information about your database application that the query optimiser cannot really work out (if you are asking what is the query optimiser then find out!
A corollary of this point is procedures that can take variable parameters to reduce vastly the number of rows returned from standard queries. This enables efficient deployment over a network where the client can help the server reduce the number of rows sent over the network.
There are a lot of other good reasons to use stored procedures (and if you include "triggers" in the mix then number increases), all good comp sci reasons like modularity, reuse, etc etc. But the critical one for me is "design time" knowledge about the application of which the RDBMS tools (indexes etc) cannot take advantage.
"The first thing to do when you find yourself in a hole is stop digging."
s/Stored procedures/embedded-SQL/
On DB2, a stored procedure (written in SQL-PL|stored procedure builder) is nothing more than a package (compiled SQL with a generated query plan) created with Embedded SQL and C. I imagine Oracle is the same. Technically, a well written piece of software using SQL-J (or the C equivalent) or a well designed app (in some cases) using prepared statements would generate the same performance.
C is faster than PHP|Cold Fusion|ASP|Perl
In a world of slow, interpreted scripting languages, C code is fast. Which would you rather run, prepared statements with PHP|Cold Fusion|ASP or thin layer of front end code calling massive middle-tier business logic.
Stored procedures should be the number one tool of web developers. However in a world of large scale, n-tier business apps, I'm not so sure. Of course, I believe a lot of enterprise software ends up being architectual overkill, but that's just my opinion. However, EJB/COM/Corba/XML-RPC pays better so.....
My advice is to get a fast, beefy db server and simplify your app.
Stored procedures can hide database structure (normalization)
Stored procedures help protect the end code from being affected by changes in DB design. Sure, you may be able to write a complex query as a workaround, but stored procedures offer you more flexibility.
What do you mean my sig is repetitive? What do you mean my sig is repetitive? What do you mean....
I write all my apps in php with a mysql db, I don't use db specific routines wich makes porting to any db quite easy I stick to simple statements and do all data manipulation in the script. I use a single persistent connection into the db for each application. A simple preg_replace of query and fetch, and connect code to whatever they used for oracle, postgres, etc... Would do the trick to migrate.
Are you seriously suggesting that once you've designed the DB you'll never have to go back in there and change things?
And what will you move to next?
Let's be completely honest with outselves -- software changes with time.
I admit, it's easier to just work in one language, be it JSP, Perl, PHP, whatever -- but it's not as modular as you think it is, because then you're bound to that language. Of course, likewise, if you're using PL/SQL stored procedures, you're then bound to Oracle, so it's a bit of an even tradeoff.
Unfortunately, for every advantage of stored procedures, there seems to be a corresponding disadvantage, so in the end, it matters what you know about your project, and what the plans are for the future.
[oh, wait, one advantage -- less network traffic... I don't think there's a disadvantage on that one]
One other aspect on centralized code is that standard procedures are followed. Such as, if the is a business rule (as opposed to an enforced data rule) that mentions how when A gets a new line, B must be updated as well, a TRIGGER is not a good idea (that's for data rules), so an SP does it all for you. Now, anyone can use the SP and forget about the rule.
Have you read my journal today?
Stored procedures are valuable for efficiently conducting data-intensive operations and enforcing data validity rules. But, if you do not use them for all database interface operations, you have the problem of the client-tier developer trying to figure out whether functionality is contained in a sproc or not. The solution is a good middle tier that encompasses all database interface operations. Decisions about how extensively to use sprocs will be made in the creation of the middle tier.
If you choose to not have a middle tier in code, you gain the flexibility of allowing access to the database from any code language that has the needed db access libraries. The problem with that scenario is, you must use sprocs for every operation in order to ensure correct use of the database by client-tier code.
In regards to creating the middle tier, using generated code to create sproc access functions is advisable.
Concerns about database vendor / programming language lock-in may end up forcing your decision one way or another, but these only apply to the individual situation and are not helpful in a general discussion about the use of sprocs, IMO.
Sorry but I'm in Oracle db since 10 years now and I use MySQL too but not for the same goal. I think that many developers need heavy database with many options (procedure, triggers, replication, objects and so on) and lightweight database too. Each have his own range of applications and utilities.
So i'm not really against procedure and triggers in MySQL as long as it stay a low requierement hardware database. If it change that way to be, I'll drop MySQL and stay in Oracle for all usages.
To all speaking about being stuck in one db vendor , I'll reply than in company front-end langages change far more than database. Databases are expensive so the choice is generally done for long and migration of data are expensive too so company say generally stuck in Oracle, DB2 or SQLServer for a very very long live...
But the front end is another story. For various reason, often many front end are used. Only here in my firefight departement, we use: access, excel, openoffice, php, oracle forms and oracle reports. It lead the dba and the developer (oops it's the same person: me) to use views and procedure to offer a kind of abstraction level to all that tools. It's the better way to be sure that a same question will give a same result whatever is the front end.
The couple MySQL/PHP is great because light and easy. I want it stay like that.
So if you thing procedure is requiered go for it but keep it light in requierement and esay to use.
I am a DBA and a web developer. Heres some quick facts for ya.
.NET as the stored procedure programming language. So you can write vb.net or C# stored procedures. It also has XML documents as a DATATYPE, like int, float, varchar, XML.
SQL Server 2005 has
SQL SERVER 2000 has NO performance difference in executing external SQL statements versus stored procedures IF those external sql statments are "parameterized queries". Sql server can parse, precompile, and store and execution plan for these EXTERNAL sql statments that are "paramenterized queries".
Heres the pros and cons of stored procs in SQL server.
* Faster than non parameterized SQL queries ("standard sql")
* A MUST when your application is internet facing in order for SECURITY. You wouldnt want some hacker being allowed to shoot SQL at your database if they got the application creditials.
* Reduce unneccessary network traffic.
* If the database has to *wait* for the application to supply it with sql statments its going to run slower than if all the SQL is queued up in a stored proc. And I can tell you this, it takes way longer for a web server to talk across a network to an application tier that talks across a network to a database and supplies sql than a stored proc executing inside a database.
* if you have any kind of result set processing that must occur its WAY faster to handle the result set ON the database server than to SHIP it back to the application.
* You can use stored procs to alter the behavior of applications at runtime without locking users out of the application.
The cons:
* If your not familar with tables, indexes, temporary tables, views, triggers, transactions, error handling at the database level, and in general relational database performance tuning you will need help writing them.
Probably too much to just write DBMS-neutral code and not bother to use any value-added features that Oracle provides.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent