Stored Procedures a bad practice at one of worlds largest IT software consulting firms?

Question

I'm working at a project in one of the world's top 3 IT consulting firms, and was told by a DBA that company best practice's state stored procedures are not a "best practice". This is so contrary to everything I've learned.

Stored procedures give you code reuse, and encapsulation (two pillars of software development), security (you can grant/revoke permissions on an individual stored proc), protect you from SQL injection attacks, and also help with speed (although that DBA said that starting with SQL Server 2008 that even regular SQL queries are compiled if they are run enough times).

We're developing a complex app using Agile software development methodology. Can anyone think of good reasons why they wouldn't want to use stored procs? My guess was that the DBAs didn't want to maintain those stored procs, but there seem to be way too many negatives to justify such a design decision.

What code reuse does it add? What if your client uses a different database. Have to trash all of those SPs and start from scratch. Don't protect you from sql injection. Speed is minimal in most cases. — Rig, Apr 20 '12 at 15:07
Highly related, from another point of view: http://dba.stackexchange.com/questions/2450/what-are-the-arguments-against-or-for-putting-application-logic-in-the-database — Florian Margaine, Jun 13 '12 at 20:17
Bear in mind that most large I.T. consulting firms have a motive to maximise billable hours while keeping their arse covered. The old-timers with any clout in these firms also tend to be players and bureaucrats rather than techies. I'd take things like that from a consultancy firm with a grain of salt - I've gotten consultancy firms out of the shit on more than one occasion by fixing up their 'best' practice. — ConcernedOfTunbridgeWells, Feb 17 '13 at 11:35
@Rig Code reuse is added just as it is for functions of any language - by wrapping code in a reusable container. Certainly stored procedures do in fact protect you from SQL injection so long as you don't execute a string you've built. To say speed is minimal seems simply uneducated. Most cases wont fall into the same categories on performance benefits but show a wide disparity. — That Realtor Programmer Guy, Jun 01 '15 at 07:05
@GaretClaborn But it is much more likely to re architect the application layer than years and years of historical database data. On any non trivial application application anyway. And if you do you will spend months porting stored procedure rich code. There is little benefit to adding one more dependency to your project except in edgecase situations. Those do exist but the majority of the time its just adding one more hurdle to project agility and code reuse. — Rig, Jun 01 '15 at 14:43
Coming from a background where we used sps almost exclusively I can tell you the benefit from moving away from them and using an ORM like Entity Framework. Far too many times business logic gets encapsulated within the procedure. While you can version procs with some work and or third party tools. It's not as easy as it would be to do so within a framework like TFS or GIT. Your database code that is emitted is agnostic of your RDBMS provider. So you can switch out RDBMS providers at a later date with less of a headache. — ewahner, Nov 09 '16 at 19:32
PLSQL can't have unit tests, meaning you should never EVER put any code or procedure in PLSQL. Only store data there. Just because you can doesn't mean you should, it's like the "include" function in PHP... it's there, but don't use it. — Chris Vilches, Sep 25 '18 at 15:37
That's strange, I've created unit tests for PL/SQL procedures. I guess it's a good thing I didnn't know it was impossible. :-) — Craig Tullis, Nov 03 '18 at 06:42
@ewahner Hi I'm curious about "business logic encapsulated within the proc". We have an SP which consumes a set of filters (thinking devices, OS) and calculates CLV under their constraint. It's about 1,300 lines long, and I'm wondering if it's possible to use ORM to speed up? E.g. to calculate revenue (business logic) the SP will first insert all filters into a temp table (A) and then insert the transaction table into another temp table (B), LEFT JOIN B with A and remove all null records to apply all filters, then uses aggregation to get revenue/fee/etc. from different columns. It's slow. — Nicholas Humphrey, Feb 23 '19 at 16:03
As expected a lot of DBAs here are up-in-arms about having less control of "their" databases and what DBAs can do in them. From a business logic point of view (since you'll use that phrase a lot here), it makes sense especially if the database is from a 3rd party provider. They "may" allow DBA access internally into the DB, but would frown upon DBAs writing their own SPs in there. In my company, we've shifted all our custom SPs over to a DW, where we pull the data in from the source and utilise it how we wish. After all, we own the data - not the software provider. — Fandango68, Sep 12 '21 at 23:09

score 307 · Answer 1 · answered Apr 06 '11 at 22:07

307

In my experience working on very large projects, you have to be very clear on where business logic lives. If you allow an environment where individual developers can put business logic in the business object layer or in a stored procedure as they see fit, a large application becomes VERY difficult to understand and maintain.

Stored procedures are great for speeding up certain DB operations. My architectural decision is to leave all logic in the business layer of the application and employ stored procedures in a targeted manner to improve performance where benchmarking indicates it is warranted.

answered Apr 06 '11 at 22:07

Eric J.

631

2

Well mentioned. I'm re-writing a product for a company at the moment and business logic has crept in to all the stored procedures. It's become extremely difficult to see what rules love in the UI, business tiers, as well as the stored procedures themselves. Not to also forget, that stored procedures give you vendor locking. – Martin Blore Apr 06 '11 at 22:52
If you don't use a proprietary db, vendor lock-in is not really that much of an issue, but it does indeed tie you to a solution. – user21007 Apr 06 '11 at 23:04
41

I don't see things quite that simply. To me, it's ALL business logic. The database, with or without stored procedures, provides certain services and makes certain guarantees. Ideally it should be impossible for incorrect application code to put the database into an inconsistent state. If stored procedures are needed to maintain that consistency, I use them. – kevin cline Apr 07 '11 at 02:38
16

@kevin cline: Define "inconsistent state". I agree that DB features such as referential integrity are valuable and greatly reduce the prospect of an application error causing serious damage. However, generally speaking, the definition of "consistent data" depends on correct execution of business rules. – Eric J. Apr 07 '11 at 03:46
20

add my million to Mayo's million. Distributed business logic takes you off of the highway of good practice, straight into the lane of lunacy – Nico Apr 07 '11 at 09:23
28

+1 Business logic seeping into the DAL is a great concern when using stored procedures. – System Down Apr 07 '11 at 15:59
4

There is no silver bullet to keeping business logic out of any layer. What about default values on fields, triggers, and other types of constraints? – JeffO Apr 07 '11 at 17:56
4

@ jeff database as a storage of data. does not enforce anything. logic layer enforces all. – Christopher Mahan Apr 07 '11 at 20:05
33

@ChristopherMahan, I would NEVER want to use a database you design. That is the worst possible practice from a database perspective. Databases are often affected directly at the database. It is short-sighted to think someone will use the business layer to update a million records or other things that happen over time. Imports do not typeically go through the business layer (yep I want to process my 21 million record import one record at a time in the business layer). Fraud is much easier when you don't have constraints at the database level. Bad data is almost 100% certain. – HLGEM Jan 06 '12 at 21:05
10

@HLGEM, when you process your 21 million records, you remember to do a select into, right, so it doesn't populate the transaction log. And try 900 million records (with 600 fields) and see if you can finish that night with all the triggers. At some point, you gotta trust the people who can do direct data manipulation. Also, if everyone is DBO, you have other issues. – Christopher Mahan Jan 06 '12 at 21:44
1

@JeffO: Drive UI validation from business rules defined in the business layer. I have done that for years. Now you can do that with IDataErrorInfo in the .Net Framework. Using EF Code First, metadata for the DB structure also derives from the business layer. – Eric J. Apr 26 '12 at 03:34
1

This should not be selected as answer... There are projects that people thing "all database calls must be Stored Procedures, and SQL is strictly verboten?" – confiq May 06 '12 at 16:11
1

This is such a narrow-minded programmer point of view. The first part is all right, the second isn't. http://dba.stackexchange.com/a/2452/9749 – Florian Margaine Feb 17 '13 at 11:09
6

Silly @ChristopherMahan, if you're really going to insert 21,000,000 records all at once, you're probably better off using your database server's bulk load facility and not using insert statements at all. – Craig Tullis May 05 '15 at 06:24
2

There ARE NO GUARANTEES that additional apps are going to dutifully use your business logic layer to update the database. That being the case, and it being just as true that sooner or later there WILL be additional apps using your database, you're smart to enable the database to maintain data integrity and consistency. That means foreign keys and check constraints. If it also means using stored procedures, then use stored procedures. SPROCS are powerful tools. I don't really get why so many younger programmers are apparently scared of databases. – Craig Tullis May 05 '15 at 06:28
1

I agree with @kevincline - the idea of distinct and clear-cut "business logic layer" and "data access layer" are archaic at best and dangerous at worst - software should just be viewed as interconnecting components that are abstracted and decoupled where necessary - you don't need "names" for "layers." Whether your "logic" goes in a sproc or in a codebase depends entirely on your goals and infrastructure. – Ant P Feb 17 '17 at 18:16
3

@Craig In that case, make the database its own "project" and put an api layer over it which encompasses the project. Having multiple apps connect to the same DB with different lifecycles, different requirements, different business logic is a recipe for disaster IMO – Joe Phillips Oct 31 '18 at 17:35
@JoePhillips I've been designing and building n-tier software systems for a long time. Of course you have a data layer/API in front of the database and your app accesses the database through that layer. If you're luck, you talk other departments into also using that API to access the database, but you have no guarantee of this. The database will also outlive your API--fact. If the database can protect itself, you stand a much better chance of maintaining the integrity of your data over time. – Craig Tullis Nov 01 '18 at 18:00
2

@Craig I think we just see the DB as being different things. I see two scenarios: (1) the DB is its own app and offers an API to gain access (2) the DB is a piece of a single app and that app has full ownership of the DB. You seem to saying there is scenario (3) where neither app really owns the DB and nobody really has full control of their app. Bad design IMO (but very common I'm certain) – Joe Phillips Nov 02 '18 at 19:12
2

@JoePhillips I'm saying that decades of real world experience bear out that the app is transitory, but the database lives on. Chances are that the database will live beyond the supported lifetime of whatever programming language or framework you used for your app (especially if you chose Ruby on Rails). Sooner or later, another system, and then another, will need access to the database. Technical debt will accrue, the app will be discarded and a new one will be developed. The data is the point. The C-suite and board don't care much about the app. The app and its API are just a means to an end. – Craig Tullis Nov 03 '18 at 02:09
all this "keeping the logic in one place because otherwise makes the app difficult to maintain" is just nonsense is nothing other than lacking of understanding of different architectures, fixation in multitier, which is a monolithic architecture, learn about the Actor Model & distributed architectures, etc. Thinking it makes the app difficult to understand, then the same would apply to any kind of API, hey dude having a backend makes it difficult to understand let's have all in javascript then, lol. – kisai Jun 11 '19 at 16:38
@EricJ. enforcing business logic rules is exactly what Kevin Cline refers to, the mechanism of the DB like primary keys, foreign keys, triggers, cascading etc help you to enforce business logic. This idea of consolidating business logic is archaic and monolithic oriented, it makes no sense at all, this multitier/n-tier view is wrong, what you really have is a distributed system, every actor in the system has to enforce business logic. The frontend should do so to help users, backend in different services SOA or uServices enforce in their single responsibility side of business. – kisai Jun 11 '19 at 16:53
1

@kisai Business logic only in the DB creates a dependence to that DB. I think we agree that's a non-starter. I've seen companies fail because they did this.
The UI (GUI, website, API endpoint) can't be trusted, so while it's an end-user convenience to implement some rules in the UI (e.g. input validation), that can't be the only place they're implemented. I think we both agree on that.

At a minimum, then, logic must be in the middle tier. Replicating some rules in the UI or DB can be beneficial but they must always be enforced in the middle.

Good distributed systems are still n-Tier.
– Eric J. Jun 17 '19 at 20:53
Imagine the disaster of having queries that need to be updated regularly or changed and having them in the code...basically have to release a new version every time you change a query and users would need to update it. – MattE Jun 28 '22 at 14:04

score 194 · Answer 2 · edited Jun 16 '20 at 10:01

Some Observations

Stored procedures give you code reuse, and encapsulation (two pillars of software development),

Only if you use them correctly in the context in which they are supposed to be used. The same claim can be said about functions (in structured programming) or methods (in object oriented programming), and yet, we see 1K functions and mega-ass objects.

Artifacts don't give you those benefits. The proper usage of those artifacts is what give those benefits.

security (you can grant/revoke permissions on an individual stored proc),

Yes. This is a good point and one of the main reasons I like stored procedures. They provide a finer-granularity access control than what can be typically achieved with just views and user accounts.

protect you from SQL injection attacks,

That is not specific to SPs since you can achieve the same level of protection with parameterized SQL statements and input scrubbing. I would use SPs in addition to those, however, as matter of "security in depth".

and also help with speed (although that DBA said that starting with SQL Server 2008 that even regular SQL queries are compiled if they are run enough times).

This is highly database vendor specific, but in general your DBA is right. SQL statements (either static or parametrized) do get compiled. SPs help if you want/need to aggregate and compute data that you cannot do with simple SQL statements, but are tightly integrated with SQL and does not warrant the round-trip to the app server.

A good example is querying data into a temporary cursor (or cursors) from which to run another SQL itself. You can do it programmatically in the app server, or you can save the multiple round-trips by doing it in the db.

This should not be the norm, however. If you have many of those cases, then that is a sign of bad database design (or you are pulling data from not-so compatible database schemas across departments.)

We're developing a complex app using Agile software development methodology.

Agility has to do with software engineering processes and requirement managements, and not technologies.

Can anyone think of good reasons why they wouldn't want to use stored procs?

Wrong Question

The question is wrong and equivalent to asking "are there any good reasons not to use GOTO"? I side with Niklaus Wirth more than with Dijkstra on this subject. I can understand where Dijkstra's sentiment came from, but I do not believe it is 100% applicable in all cases. Same with store procs and any technology.

A tool is good when used well for its intended purpose, and when it is the best tool for the particular task. Using it otherwise is not an indication that the tool is wrong, but that the wielder doesn't know what he/she is doing.

The proper question is "what type of stored procedure usage patterns should be avoided." Or, "under what conditions should I (or should not) use stored procedures". Looking for reasons not to use a technology is simply putting the blame on the tool as opposed to placing the engineering responsibility squarely where it belongs - in the engineer.

In other words, it is a cop-out or a statement of ignorance.

My guess was that the DBAs didn't want to maintain those stored procs, but there seem to be way too many negatives to justify such a design decision.

What they are doing then is projecting the results of their bad engineering decisions on the tools they used poorly.

What to do in your case?

My experience is, when in Rome, do as the Romans do.

Don't fight it. If the people at your company want to label store procs as a bad practice, let them. Be advised however, that this can be a red flag in their engineering practices.

Typical labeling of things as bad practice is usually done in organizations with tons of incompetent programmers. By black-listing certain things, the organization tries to limit the damage inflicted internally by their own incompetence. I shit you not.

Generalizations are the mother of all screw ups. Saying that stored procs (or any type of technology) are a bad practice, that's a generalization. Generalizations are cop-outs for the incompetent. Engineers do not work with blatant generalizations. They do analysis on a case-by-case basis, do analysis trade-offs and execute engineering decisions and solutions according to the facts at hand, in the context in which they are supposed to solve a problem.

Good engineers do not label things as bad practice in such generalizing ways. They look at the problem, select the tool that are appropriate, make trade-offs. In other words, they do engineering.

My opinion on how not to use them

Don't put complex logic beyond data gathering (and perhaps some transformations) in them. It is ok to put some data massaging logic in them, or to aggregate the result of multiple queries with them. But that's about it. Anything beyond that would qualify as business logic which should reside somewhere else.
Don't use them as your sole mechanism of defense against SQL injection. You leave them there in case something bad makes it to them, but there should be a slew of defensive logic in front of them - client-side validation/scrubbing, server-side validation/scrubbing, possibly transformation into types that make sense in your domain model, and finally getting passed to parametrized statements (which could be parametrized SQL statements or parametrized stored procs.)
Don't make databases the only place containing your store procs. Your store procs should be treated just as you treat your C# or Java source code. That is, source control the textual definition of your store procs. People rant that store procs can't be source controlled - bullcrap, they just don't know what the bloody hell they are talking about.

My opinion in how/where to use them

Your application requires data that needs to be transposed or aggregated from multiple queries or views. You can offload that from the application into the db. Here you have to do a performance analysis since a) database engines are more efficient that app servers in doing these things, but b) app servers are (sometimes) easier to scale horizontally.
Fine grain access control. You do not want some idiot running cartesian joins in your db, but you cannot just forbid people from executing arbitrary SQL statements just like that either. A typical solution is to allow arbitrary SQL statements in development and UAT environments, while forbidding them in systest and production environments. Any statement that must make it to systest or production goes into a store procedure, code-reviewed by both developers and dbas.

Any valid need to run a SQL statement not in a store proc goes through a different username/account and connection pool (with the usage highly monitored and discouraged.)

In systems like Oracle, you can get access to LDAP, or create symlinks to external databases (say calling a store proc on a business partner's db via vpn.) Easy way to do spaghetti code, but that's true for all programming paradigms, and sometimes you have specific business/environment requirements for which this is the only solution. Store procs help encapsulate that nastiness in one place alone, close to the data and without having to traverse to the app server.

Whether you run this on the db as a store proc or on your app server depends on the trade-off analysis that you, as an engineer, have to make. Both options have to be analyzed and justified with some type of analysis. Going one way or another by simply accusing the other alternative as "bad practice", that's just a lame engineering cop-out.

In situations where you simply cannot scale up your app server (.ie. no budget for new hardware or cloud instances) but with plenty of capacity on the db back-end (this is more typical that many people care to admit), it pays to move business logic to store procs. Not pretty and can lead to anemic domain models... but then again... trade-off analysis, the thing most software hacks suck at.

Whether that becomes a permanent solution or not, that's specific to constrains observed at that particular moment.

Hope it helps.

Good answer, but was this intended to be ironic? "Generalizations are the mother of all screw ups." — bedwyr, Feb 18 '13 at 03:28
Yep and nay. That comment of mine was intended for this particular sentence referred by the OP in his original question (stored procedures are not a "best practice".) A coarse description of store procedures as best or bad practice is a generalization. Ignoring the context in which they can be good OR bad can (and will often lead) to screw ups when architecting or designing solutions ;) — luis.espinal, Feb 19 '13 at 16:24
+1 for "Typical labeling of things as bad practice is usually done in organizations with tons of incompetent programmers." - been there, lived through that, including being told to my face by a dev manager that he thought I had a great solution for one tricky problem, but if he was seen to allow me to implement it then it would open the floodgates for the muppets. — Julia Hayward, Sep 04 '14 at 15:20
A little long winded, though a well though out answer. I hope the when In rome do as Romans do is taken to heart. — Robert Baron, Feb 19 '17 at 05:13
Answer would be improved without the snark. Or if you knew what a 'best practice' is. A best practice is a method or technique that has been generally accepted as superior to any alternatives because it produces results that are superior to those achieved by other means or because it has become a standard way of doing things This entire answer describes how Stored Procedures are not a best practice. You have to think about their pros and cons and use them accordingly. But then you take a dump on other people for saying the same thing. — Shane, Apr 16 '18 at 21:17
@Shane You are right. However I believe what this answer is trying to convey is the tendency of some groups of engineers to excuse their lack of knowledge or analysis by calling on the bad practice card. The answer could see some improvement for the more inexperienced of us, though. — Cesar Hernandez, Sep 19 '18 at 19:32

score 59 · Answer 3 · edited Apr 20 '12 at 00:18

59

The rationale is that relying on a stored procedure layer limits portability and ties you to a certain DB. Added maintenance costs are also cited as a reason. I also wanted to comment on this point you made:

(stored procedures) protect you from SQL injection attacks

It's actually the parametrized querying that protects you, which you can easily do in plain text sql querying.

edited Apr 20 '12 at 00:18

user

2,200

answered Apr 06 '11 at 22:11

System Down

4,753

21

And if your stored proc is using any type of dynamic sql along with a string parameter, you're right back where you started. – JeffO Apr 07 '11 at 17:52
4

The difference is that access permission can be set for stored procedures on per procedure basis, for parameterised SQL queries you have to rely on programmers sanity not to do + "blablabla" because you have to allow plain SQL, and that's where control ends. – Coder Apr 20 '12 at 03:58
23

I've never understood the "ties you to a certain DB" argument. How often do you take your program and migrate it to an entirely different database? – Mason Wheeler Jun 14 '12 at 18:07
12

@MasonWheeler - +1 every time. In any sufficiently large project, your app ends up being written against the foibles of a given DB product. Converting to another DB becomes a major job no matter what because the new DB will have different oddities! – Michael Kohne Jun 14 '12 at 18:09
2

@MichaelKohne, I would say never in my experience. It depends on what segment of the industry you are in. In Enterpise systems it is rare to change database vendors. In the COTS world, it happens all the time or the design must account for multiple vendor possibilities. In the web world is somehwat divided depending on what the web site actually does and how critical the db is to the success of the site. – HLGEM Jun 05 '13 at 17:45
6

@HLGEM - but in the COTS world, multiple DBs are EXPECTED at the outset (in fact, you choose the compatible DBs). It's not that you port, it's that you support different back-ends, which is a completely different beast than doing a port. – Michael Kohne Jun 05 '13 at 18:34

Gilles · Answer 4 · 2011-04-07T17:31:49.503

52

Some of the reasons that I agree stored procs aren't a best practice.

Business and application logic should be in the code not in the database. Putting logic in the DB is mixing up concerns.
You can't test stored procs as seamlessly as code in your conventional unit test projects with the rest of the application logic.
I don't find stored procs as being conducive to test first programming when I am writing code.
Stored procs aren't as easy to debug as application code when you are debugging your program in your IDE.
Versionning control / Source control of SP vs. normal code

edited Apr 07 '11 at 17:31

answered Apr 06 '11 at 22:12

Gilles

2,201

10

You can just as easy do test-first programming on stored procedures. – Apr 07 '11 at 06:57
5

Hmmm, well... 1) The usage of db stored procedures does not necessarily imply that business logic is being put in them. 2) stored procs are some of the easiest things to unit test. 3) store procs are not necessarily conductive of test-first practices, true, but not everything that is computable can be test-first'ed. 4) debugging shouldn't be an issue since store procs should contain nothing more than easy-to-verify SQL statements and cursors. Also, debugging should take place by first testing and debugging the SQL statements in code, and then moved into store procs... just IMO btw. – luis.espinal Apr 07 '11 at 16:30
8

You're obviously not a DB dev. Source control, IDEs - its damn easy to debug a SP if you're using TOAD or a similar IDE, same with versioning. – gbjbaanb Jul 21 '11 at 11:02
I recommend utplsql for unit testing PL/SQL packages. – Scott A Jul 22 '11 at 01:41
8
on unit testing stored procs. idk about other unit test frameworks but at least with MS Test (VisualStudio.TestTools.UnitTesting), running any of the Assert methods on the stored proc at least requires a Db connection, which by definition makes it more of an integration test than a unit test. And a stored proc may reference state about the database at a global, database level. These may not be fake-able or have interfaces.

T. Webster

Jan 07 '12 at 07:50

4

+1 In addition, stored procedure languages (pl/sql,t-sql,plpgsql, etc) are very clunky and verbose. It's much easier for me to use a scripting language to make a database connection and handle the business logic outside of the database. – Jun 13 '12 at 19:31

I know its an old question, but wouldn't taking a service based approach solve these issues while keeping the benefits of stored procedures? – Jonathan DS Jan 15 '20 at 18:21

Complex Business logic must always be in the database because business data must be processed using SQL not any other language. The mistake the application developer always is to write complex logic in cursor (row by row processing) which makes the application less scalable. – Sabyasachi Mitra Jun 19 '20 at 15:54

greyfade · Answer 5 · 2011-04-07T17:26:44.927

24

Stored procedures give you code reuse, and encapsulation (two pillars of software development),

Yes, but at the cost of being able to meet other agile design goals. They're more difficult to maintain, for one thing. If the project I'm on is any indication, you'll likely end up with multiple, incompatible SPs that do essentially the same job, with no benefit.

protect you from SQL injection attacks,

No. They do not. I can't even begin to guess where this idea might have come from, as I hear it said often, and it's simply not true. It may mitigate certain types of SQL injection attacks, but if you're not using parametrized queries in the first place, that won't matter. I can still ';DROP TABLE Accounts; --

and also help with speed (although that DBA said that starting with SQL Server 2008 that even regular SQL queries are compiled if they are run enough times).

They're also typically compiled when you use prepared, parametrized statements (at least with several of the DBs I've used). By the time your application begins executing the query (or especially when you execute the same prepared query multiple times), any performance advantage that you think your SP has is completely moot.

The only reason to use a stored procedure, IMHO, is when you must make a complex, multi-staged query that pulls from multiple collated sources. SPs should not contain low-level decision logic, and they should never simply encapsulate an otherwise simple query. There are no benefits and only many drawbacks.

Listen to your DBA. He knows what's up.

edited Apr 07 '11 at 17:26

answered Apr 06 '11 at 22:44

greyfade

11,133

1

Red Gate have a product SQL Source Control for SQL Server, but I agree, pushing logic into stored procs is an excellent way to ensure that you have important logic not under any sort of version control. – Carson63000 Apr 07 '11 at 11:59
22

@greyfade - "I have yet to see source control for SPs" - are you kidding me? A store proc is just a bloody text file that you upload in your database engine (which takes it, compiles it and installs it for execution.) Every place I've worked that has stored procs, we store the store proc source code in, say, CVS, clearcase or whichever SCM that was in use. Saying that store procs cannot be source-controlled (because they are in the db) is like saying my application source code (Java, C# or whatever) cannot be source controlled because it is compiled and deployed in production. – luis.espinal Apr 07 '11 at 16:34
4

@luis.espinal: I did not say they could not be in source control. I merely said that I did not know of a tool specifically for maintaining the history of SPs, implying maintaining that history within the database. Please don't rant at me just because you misread something. – greyfade Apr 07 '11 at 16:39
1

All opur stored procs are under source conrtrol, just becasue you have seen bad parctices in the past doesn't mean that they are inherent in using stored procs. – HLGEM Apr 07 '11 at 17:00
How about I just strike all mention of source control from my answer, since neither of you seem to be able to understand what I'm saying and immediately assume the worst? I dislike that you equate my statement that I'm "unaware" of good source control for SPs with a blanket statement that it's impossible. – greyfade Apr 07 '11 at 17:25
1

@luis.espinal is it typical that the source of a stored procedure can be retrieved later from the database? If so, you can just have a tool that pulls it out regularily, and have other tooling in place to recreate an installation from scratch. Do that once in a while to ensure it is accurate. – May 05 '12 at 13:20
@ThorbjørnRavnAndersen - oh yeah, very typical in every place (good place that is) that I've worked that had stored procedures . The operative word is "good", a place that doesn't version SPs is a time-bomb IMO. I've worked mostly on Oracle shops, where we would use a command-line tool based off DBMS_METADATA or select text from user_source, or GUI-based extraction facilities off Toad or SQL Explorer.) Pretty much that's how things got versioned (and also, to create installs from scratch as you described.) – luis.espinal May 08 '12 at 17:01
@luis.espinal here's a tool for maintaining the history of SPs http://www.apexsql.com/sql_tools_version.aspx – Carol Baker West Feb 27 '13 at 09:49

score 21 · Answer 6 · answered Apr 07 '11 at 03:22

All three of the companies I work for used stored procedures for their application logic with SQL Server. I have not really seen things the other way. But to me they are a big mess. There typically aren't very good error handling facilities or code re-use facilities with stored procedures.

Let's say you have a stored procedure that returns a dataset you want to use, how can you use it in future stored procedures? The mechanisms on SQL Server for that are not very good. EXEC INTO...only works to one or two level)s of nesting (I forget now). Or you have to pre-define a work table and have it process keyed. Or you need to pre-create a temp table and have the procedure populate it. But what if two people call a temp table the same thing in two different procedures that they never planned to use at the same time? In any normal programming language, you can just return an array from a function or point to an object/global structure shared between them (except for functional languages where you'd return the data structure as opposed to just changing a global structure...)

How about code re-use? If you start putting common expressions into UDFs (or even worse sub queries) you will slow the code to a halt. You can't call a stored procedure to perform a calculation for a column (unless you use a cursor, pass the column values in one by one, and then update your table/dataset somehow). So basically to get the most performance, you need to cut/paste common expressions all over the place which is a maintenance nightmare... With a programming language you can create a function to generate the common SQL and then call it from everywhere when building the SQL string. Then if you need to adjust the formula you can make the change in a single place...

How about error handling? SQL Server has many errors that immediately stop the stored procedure from executing and some that even force a disconnection. Since 2005 there is try/catch but there are still a number of errors that cannot be caught. Also the same thing happens with code duplication on the error handling code and you really cannot pass exceptions around as easily or bubble them up to higher levels as easily as most programming languages.....

Also just speed. A lot of operations on datasets are not SET oriented. If you try to do row oriented stuff, either you are going to use a cursor, or you are going to use a "cursor" (when developers often query each row one by one and store the contents into @ variables just like a cursor...Even though this is often slower than a FORWARD_ONLY cursor). With SQL Server 2000 I had something that was running for 1 hour before I killed it. I rewrote that code in Perl and it finished in 20 minutes. When a scripting language that is 20-80x slower than C smokes SQL in performance, you definitely have no business writing row oriented operations in SQL.

Now SQL Server does have CLR integration and a lot of these issues go away if you use a CLR stored procedures. But many DBAs don't know how to write .NET programs or turn off the CLR due to security concerns and stick with Transact SQL.... Also even with the CLRs you still have issues of sharing data between multiple procedures in an efficient way.

Also in general the hardest thing to scale out is the database. If all your business logic is in the database, then when the database becomes too slow you are going to have issues. If you have a business layer you can just add more caching and more business servers to boost performance. Traditionally another server to install windows/linux and run .NET/Java is much cheaper than buying another database server and licensing more SQL Server. SQL Server does have more clustering support now though, originally it did not really have any. So if you do have a lot of money, you can add clustering or even do some log shipping to make multiple read only copies. But overall this will cost much more than just having a write behind cache or something.

Also look at the Transact-SQL facilities. String Manipulation? I'll take the Java String Class/Tokenizer/Scanner/Regex classes any day. Hash Tables/Linked Lists/Etc. I'll take the Java Collection frameworks, etc... And the same for .NET... Both C# and Java are way more evolved languages than Transact SQL...Heck coding with Transact-SQL makes me jealous of C...

On the plus stored procedures are more efficient for working with a big dataset and applying a multiple queries/criteria to shrink it down before returning it to the business layer. If you have to send a bunch of huge datasets to the client application and break down the data at the client it will be much more inefficient than just doing all the work at the server.

Also stored procedures are good for security. You can cut all the access to the underlying tables and only allow access through the stored procedures. With some modern techniques like XML you can have stored procedures that do batch updates. Then all access is controlled through the stored procedures so as long as they are secure/correct the data can have more integrity.

The SQL injection argument doesn't really apply so much anymore since we have parameterized queries on the programming language side. Also really even before parameterized queries a little replace("'", "''") worked most of the time as well (although there are still tricks to use to go past the end of the string to get what you want).

Overall I think SQL and Transact SQL are great languages for querying/updating data. But for coding any type of logic, doing string manipulation (or heck file manipulation....you'd be surprised what you can do with xp_cmdshell....) please no. I'm hoping to find a future place that does not use stored procedures mostly. From a code maintainability point of view they are a nightmare. Also what happens if you want to switch platforms (although really if you paid for Oracle/DB2/Sybase/Sql Server/etc. you might as well get everything you can out of them by using every proprietary extension you can that helps you out...).

Also surprisingly often the business logic is not the same. In the ideal world you would put all the logic in stored procedures and share that between applications. But quite often the logic differs based on the applications and your stored procedures end up becoming overly complex monoliths that people are afraid to change and do not understand all the implications of. Whereas with a good object oriented language you can code a data access layer which has some standard interface/hooks that each application can override to their own needs.

I can't help but offer food for thought on the whole set-oriented vs. procedural issue, though. I have seen database cursors used in all kinds of cases where that approach was just nuts. I have personally replaced explicit cursor-based SQL (Oracle PL/SQL, in that particular case) with a set-oriented query and saw the results come back in under a second, instead of 8 minutes. It took me 30 minutes to dissect that 1,000 line cursor code and "get" it. The resulting SQL query was concise, elegant, simple. People underestimate the power of their database servers far too often, and far too quickly. — Craig Tullis, Mar 21 '14 at 23:25
The big mistake: Writing SQL applications is not same as Java or .Net. You don't write SQL for Oracle in the same way as you write for SQL Server. There is no such thing called DB agnostic application. It's a myth. If you write DB agnostic applications you are most likely defeating the purpose of the DB. — Sabyasachi Mitra, Jun 19 '20 at 15:58

score 18 · Answer 7 · answered Apr 06 '11 at 22:07

18

This was the official line when I worked for one of the Big Five a few years back. The rationale was that since SPs are tied to particular implementations (PL/SQL vs T/SQL vs ...), they unnecessarily limit technology choices.

Having lived through the migration of one large system from T/SQL to PL/SQL, I can understand the argument. I think it's bit of a canard though - how many places really move from one database to another on a whim?

answered Apr 06 '11 at 22:07

DaveE

792

10

@DaveE: For an enterprise solution you're probably right. If you're creating packaged software, as soon as you ship on MSSQL your biggest prospect will want it to run on Oracle. – Eric J. Apr 06 '11 at 22:09
3

@Eric: too true. Where I'm at now, we use tons of SPs and tell folks 'no' if they don't want MSSQL. It's nice to be able to do that. – DaveE Apr 06 '11 at 22:12
4

@DaveE: Does the sales team wish you could say "yes"? – Eric J. Apr 07 '11 at 03:48
4

It is not as much moving one system from one database to another, but having one system being able to use whatever database system the customer already has. Big databases are expensive. – Apr 07 '11 at 07:03
@EricJ: yes, but once they see what the cost would do to their commission, the request kinda goes away. – DaveE Apr 07 '11 at 16:32
@ThorRA: That's why it's nice the mgt here will say 'no' to the sale. I've worked places where the database was regarded as an "implementation detail" and having Sales pitch one of those over the wall is no fun. – DaveE Apr 07 '11 at 16:35
Maybe I'm missing something, but if you are going to have to change the stored procedures because of switching databases, are you going to have to change the code just as much if you don't use stored procedures? – Kevin Apr 07 '11 at 18:19
@Kevin: If you don't care about performance, you may hope that you won't have to change much. – quant_dev Apr 07 '11 at 20:22
This kind of thinking would prevent you from developing in any language on any platform, wouldn't it? – Barry Brown May 05 '12 at 19:58
1

@Quant_dev, if you are accessing a database you must care about performance. It is attitudes like yours which is why I see so many badly designed and poorly performing datbases. That is not optional and that is why database specific code is often preferred, but it is almost alawys more performant. – HLGEM Sep 04 '14 at 17:36
Not only that. The way SQL works in Oracle does not work in SQL Sever. Their Optimizer is different. – Sabyasachi Mitra Jun 19 '20 at 16:00

score 12 · Answer 8 · answered Apr 06 '11 at 22:28

12

How do you version stored procedures on the server?

If you redeploy stored procedures to the server from version control, you blow out the stored execution plan.

Stored procedures should not be modifiable directly on the server, otherwise how do you know what's really running _right now? If they are not, the deployment tool needs access to write stored procedures to the database. You'd have to deploy on every build (exec plan might need to be different)

While stored procedures are non-portable, neither is SQL in general (ever seen oracle date handling--uggghhh).

So, if you want portability, build an internal data access API. You can call this like function calls, and internally you can build in in whatever lingo you want, with parameterized queries, and it can be version-controlled.

answered Apr 06 '11 at 22:28

Christopher Mahan

3,404

6

How do you version stored procedures on the server? - you version control the store proc source code. When it's time to deploy, you grab the store procs (from a given baseline) and you (or your dba) deploy to production. Redeployment (be it on testing or production) certainly blows out the stored exec plan, but that will happen independently of whether you source control your SPs or not. – luis.espinal Apr 07 '11 at 16:38
Granted, we do the same. When we redeploy, though, we do the SP deploys manually, only for the ones needed. Automated would redeploy them all. Not optimal. – Christopher Mahan Apr 07 '11 at 16:47
And changing a sql statement doesn't change the stored execution plan? – JeffO Apr 07 '11 at 17:48
@Jeff what do you mean any sql statement? Changing the stored procedure, sure. But if there are 300 SP on the server, do you change the 2 you updated, or all 300 in an automated deploy? – Christopher Mahan Apr 07 '11 at 17:59
Your build and deploy scripts should know which SPs have changed and update only those. – Barry Brown May 05 '12 at 20:03
1

@BarryBrown It doesn't work if people have access to the server directly and can change the stored procedures. I'd have to have a process that watches the SPs, or have a check before each use... – Christopher Mahan May 07 '12 at 21:40
5

If you have people just changing sprocs willy-nilly on servers without committing their changes to source control, you have a process problem that is almost certainly affecting your imperative code development, as well, even if you're not aware that it is. – Craig Tullis Mar 13 '14 at 07:58
Oh, I know there is a process problem, but I came into the team with the system already set up this way, and there's no changing it now. – Christopher Mahan Mar 15 '14 at 02:42
1

One of the things I've done in the past has been to put a development instance of the database server on individual developer's workstations, or if that wasn't possible, then at least have "dev" and "production" instances of the databases, and all the DDL and DML scripts, as well as sample data and load scripts lived under their own directory in the source tree, and the database was routinely built from those scripts using the MAKE file. Devs were able to use nmake to build single stored procs, as well. If they didn't put it under source control, it would disappear on them, and they knew it. – Craig Tullis Mar 21 '14 at 23:10
1

...I didn't mean to sound disparaging in my earlier comment, with the "..., even if you're not aware..." phrase. What I meant to convey was that if that sort of thing is happening with stored procedures, it's probably happening in other parts of the project, as well. I personally kind of dislike integrated source control in IDE's, in part because I think it makes people kind of lazy in terms of thinking about what it really means to the team and project as a whole to make changes and commit those changes to the source control repository. Those things should not be "automatic" in my opinion. – Craig Tullis Mar 21 '14 at 23:16
"If you redeploy stored procedures to the server from version control, you blow out the stored execution plan." Stored procedures does not have execution plan. DB agnostic application is a myth. – Sabyasachi Mitra Jun 19 '20 at 16:01

score 10 · Answer 9 · answered Apr 07 '11 at 18:22

This is so contrary to everything I've learned.

You might need to get out more. [grin] Seriously, stored procs have been on the decline for at least 10 years. Pretty much ever since n-tier replaced client-server. The decline has only been accelerated by the adoption of OO languages like Java, C#, Python, etc.

That's not to say stored procs don't still have their proponents and advocates - but this is a long-running discussion and debate. It's not new, and will likely still be going on for quite some time; IMO, the opponents of stored procs are clearly winning.

Stored procedures give you code reuse, and encapsulation (two pillars of software development)

Very true. But, so does a decently architected OO layer.

security (you can grant/revoke permissions on an individual stored proc)

While you can do that, few do it because of the serious limitations. Security at the DB level isn't granular enough to make context-aware decisions. Because of performance and management overhead, it's unusual to have per-user connections as well - so you still need some level of authorization in your app code. You can use role based logins, but you will need to create them for new roles, maintain which role you're running as, switch connections to do "system level" work like logging, etc. And, in the end, if your app is owned - so is your connection to the DB.

protect you from SQL injection attacks

No more so than doing parametrized queries. Which you need to be doing anyway.

and also help with speed (although that DBA said that starting with SQL Server 2008 that even regular SQL queries are compiled if they are run enough times).

I think that started in MSSQL 7 or 2000. There's been a lot of debates, measurements, and misinformation on stored proc vs inline SQL performance - I lump it all under YAGNI. And, if you do need it, test.

We're developing a complex app using Agile software development methodology. Can anyone think of good reasons why they wouldn't want to use stored procs?

I can't think of many reasons you would want to. Java/C#/any 3rd GL language are all much more capable than T-SQL at encapsulation, reuse and felxibility, etc. Most of which is free given a half-decent ORM.

Also, given the advice to "distribute as needed, but not more" - I think the burden of proof these days is on SP advocates. A common reason for going stored proc heavy is that T-SQL is easier than OO, and the shop has better T-SQL devs than OO. Or, that the DBA stops at the database layer, and stored procs are the interface between dev and DBA. Or, you're shipping a semi-custom product and the stored procs can be user-customized. Absent some considerations like that, I think the default for any Agile SW project these days is going to be ORM.

There is a LOT to gain performancewise if you do not have to transfer gigantic datasets out of the database to do simple stuff. Measure, and optimize if needed. — , May 05 '12 at 13:23
Precisely. Stored procedures can be used like a scalpel. It's an absolute guarantee that I/O inside the database server has more bandwidth than I/O between the database server and your middle tier. And you're not going to write faster, more efficient data join code in your middle tier than the database engine devs wrote in the database server. If you're transferring 1,000,000 rows of data to your middle tier to do a join, which I've certainly seen, you just ought to be flogged... It's like the guys who claim you should "write your own rollback code." Insanity. — Craig Tullis, Mar 21 '14 at 23:28
Don't underestimate your database server. Learn how to use it correctly. — Craig Tullis, Mar 21 '14 at 23:29
FWIW, you don't need a stored proc to do a join on the database side. And if you're using a cursor for procedural logic, you've likely lost the performance war already. Giving up stored procedures is certainly not the same as giving up SQL or set based solutions. — Mark Brackett, Mar 21 '14 at 23:46
Totally true, and I was actually arguing in favor of SQL more than arguing specifically for sprocs. But then having SQL embedded in your imperative code isn't necessarily the key to happiness, either, right? Which often leads into the whole ORM debate, which then leads to me pointing to performance comparisons between ORM-driven db access vs just learning how to use SQL. I've both seen and heard of systems where, say, Oracle consultants recommended keeping all the load possible off the database server, leading to heavy (and grossly expensive!) middleware with abysmal performance. — Craig Tullis, Mar 22 '14 at 00:35
I thought we have gone past that ORM era. Anyway PL/SQL (and I think T-SQL too) have ORM support. the entire concept of ORM is bad for DB operation. The problem creeps in when you ask your applications to do the DB intensive operations (which should be best left to Database). — Sabyasachi Mitra, Jun 19 '20 at 16:04

score 4 · Answer 10 · edited Jun 14 '12 at 18:05

Considering all the above cases, I would like to add one more. The choice of SP may be depends on people choice as well.

I personally feel frustrated when people puts very complex logic in SP and I believe such SP is very complex to maintain and debug. Even many cases the developer himself faces problem when debugging in code behind (say language part) is much more easier than in SP.

SP should only be used for simple operations. Well that is my choice.

score 4 · Answer 11 · answered Feb 17 '13 at 10:33

I want to cover both some pro- and con- issues with stored procs. We use them extensively with LedgerSMB, and our rule is, with a few very specific extension, "if it's a query, make it a stored proc."

Our reason for doing this was to facilitate cross-language query reuse. There isn't a better way to do this honestly.

In the end the question is always on the details. Well used, stored procedures make things a lot easier, and poorly used they make things a lot harder.

So on to the con side.

As traditionally used, stored procedures are brittle. Used alone they create the possibility of adding bugs to your code in places you didn't expect for no reason other than that the call syntax changed. Used alone this is a bit of a problem. There is way too much cohesion between layers and this causes problems.
Yes, it is possible to have intra-sproc sql injection if doing any dynamic sql. It is a bad thing to be over-confident in this area, and consequently one needs to have significant experience in security in this area.
Changes to interfaces are somewhat problematic with stored procedures for reason #1 above but this can become a very big nightmare if large numbers of client apps are involved.

The above are pretty hard to deny. They happen. Everyone, pro-SP and anti-SP has probably had horror stories regarding these. The problems aren't unsolvable but if you don't pay attention to them you can't solve them (in LedgerSMB we use a service locator to dynamically build SP calls at run-time, avoiding the above issues entirely. While we are PostgreSQL only, something similar could be done for other db's).

On to the positives. Assuming you can solve the above problems, you get:

The possibility of enhanced clarity in set operations. This is particularly true if your query is very large or very flexible. This also leads to enhanced testability.
If I have a service locator already working in this area, I find stored procedures speed up pace of development because they free up the application developer from db concerns and vice versa. This has some difficulties in doing right but it is not that hard to do.
Query re-use.

Oh and a few things you should almost never do in an SP:

non-transactional logic. You sent the email that the order was shipped but the transaction rolled back... or now you are waiting to continue for the email server to come online.... or worse you roll back your transaction just because you can't reach the email server....
lots of little queries loosely strung together, sprinkled with procedural logic....

Agree strongly, re: keeping non-transactional junk out of stored procedures. In that Email example, the Email message should be dropped into a queue and serviced asynchronously, anyway. Talk about setting yourself up for a massive performance hit and funky behavior under load, making your database transactions dependent on the response of your mail server? Yikes! — Craig Tullis, Mar 23 '14 at 02:25

user21007 · Answer 12 · 2011-04-07T00:15:24.973

4

Who do you work for?

The answer may depend on who you are employed by, the consulting firm or the company itself. What's best for a company is very often not best for a consulting firm or other software vendor. e.g. A smart company desires to have a permanent advantage over its competitors. By contrast a software vendor wants to be able to hawk the same solution to all the businesses in a particular industry, for the lowest cost. If they are successful in this, there will be no net competitive advantage for the client.

In this particular case, applications come and go but very often, the corporate database lives on forever. One of the primary things an RDBMS does is to keep junk data from entering the database. This can involve stored procedures. If the logic is good logic and highly unlikely to change from year to year, why should it not be in the database, keeping it internally consistent, irrespective of whatever application is written to use the database? Years later someone will have a question they want to ask of the database and it will be answerable if junk has been prevented from entering the DB.

So maybe this has something to do with the fact that your DBA works for a consulting firm. The more portable they can make their code, the more they can reuse code from client to client. The more logic they can tie up in their app, the more the company is wedded to the vendor. If they leave behind a big mess in the process, they will get paid to clean it up, or never see the mess again. Either way it's a win for them.

enter image description here

For (lots) more discussion on both sides of the fence, read the discussion at coding horror. FWIW I lean to the side of those advocating for SPs.

edited Apr 07 '11 at 00:15

answered Apr 06 '11 at 23:39

user21007

876

1

This answer focuses on tieing the question of whether or not to use stored procedures to the question of whom do you work for and what their motivations are. Downvote. The answer should instead focus on tieing the question of whether or not to use stored procedures the pros and cons of stored procedures. If the answer focused on the idea that SPs keep junk from entering the database, I would not have downvoted. I would disagree, in the interest of disclosure, but I would not have downvoted. – yfeldblum Apr 07 '11 at 01:53
Also you linked an article from 2004, IMHO the landscape has changed quite a bit since then. OR/M's have become a lot more commonplace. Ruby/Rails ActiveRecord, MS came out with linq & EF, Django for python, etc. – Brook Apr 07 '11 at 02:25
@Justice, he's right though, whether storedprocs area best practice depends on lot on who the company is and what role they play. For instance, stored procs allow you to set permissions on the proc itself and not directly on the table. If you are doing any financial work and have to consider internal controls, they are the only viable option for protecting your data from users. But if you are creating COTS products with possible multiple backends, they are too database specific. If you are a consulting firm, you may need to consider several differnt approaches as best for the circumstances. – HLGEM Apr 07 '11 at 17:08
3

@HLGEM I don't object to any of the points you brought up. But I object to the answer's thesis that the primary reason the DBA might put logic into the application is because he is a consultant and intends to screw the customer. It ties a person's moral standing to his choice of whether to use stored procedures. In my opinion, there are technical arguments on both sides, and the arguments on both sides will differ from application to application, technology to technology, company to company, industry to industry. And I will first look for merit before impugning motive. – yfeldblum Apr 07 '11 at 23:30
He said he works for a consulting firm. Maintaining more control over the code vs stored procedures that are deployed to the customer's site is a very legitimate reason this might be their "best practice". It might not be to "screw the customer" but might well be an issue of greater control. – Jesse Feb 23 '12 at 08:32

JeffO · Answer 13 · 2011-04-07T17:57:22.383

3

It's very difficult to switch database brands and utilize the same stored procedures.

Your team either doesn't have a DBA and no one else wants to have anything to do with sql.

This is nothing more than a programmer v DBA pissing contest.

edited Apr 07 '11 at 17:57

answered Apr 07 '11 at 17:43

JeffO

36,816

score 2 · Answer 14 · answered Apr 20 '12 at 08:27

It's always a source of problems to have the business logic splitted up between different layers, using different programming languages. Tracing a bug or implementing a change is way harder when you have to switch between worlds.

That said, I know companies that do pretty well by putting all business logic into PL/SQL packages living in the database. Those are not very large applications, but not trivial either; say 20K-100K LOC. (PL/SQL is better suited for that kind of system than T-SQL, so if you only know T-SQL, you probably shake your head in disbelieve now...)

score 2 · Answer 15 · answered May 05 '12 at 20:31

This is another point not mentioned yet:

Code generation tools and reverse engineering tools cannot really cope well with stored procedures. The tool generally cannot tell what the proc does. Does the proc return a resultset? Several resultsets? Does it fetch its resultsets from several tables and temporary-tables? Is the proc just an encapsulated update statement and does not return anything? Does it return a resultset, a return value and some "console output"?

So if you want to use a tool to create a data-transfer-object DTO and DAO layer automatically (such as liferay's "service builder" does) , you cannot easily do so.

Moreover, ORMs like Hibernate cannot really work properly when the data source is an SP. Data access is read-only at best.

It's interesting that code generation tools apparently have such a hard time figuring out whether a stored procedure returns a result set, when the stored procedure itself doesn't have any trouble with that. — Craig Tullis, Mar 23 '14 at 02:29

score 2 · Answer 16 · answered Jun 05 '13 at 16:06

Programming solo, I cannot resist writing stored procedures.

I'm using MySQL primarily. I have not used object-oriented databases before like PostGreSQL, but what I'm able to do with SP's in MySQL is abstract the table structure away a little bit. SP's allow me to design these primitive actions, whose inputs and outputs will not change, even if the database underneath it does change.

So, I have a procedure called logIn. When you log in, you always just pass username and password. The result passed back is the integer userId.

When logIn is a stored procedure, now I can add additional work to be done at login that happens at the same time as the initial log in. I find a series of SQL statements with embedded logic in a stored procedure easier to write than the (calling environment FETCH) -> (get result) -> (calling environment FETCH) series you have to do when you write your logic server side.

score 2 · Answer 17 · answered Apr 07 '11 at 16:06

IMO it depends. Stored procedures have their place, but they are not a best practice, nor are they something to be avoided at all costs. A smart developer knows how to properly evaluate a given situation and determine if a stored procedure is the answer. Personally I am a fan of using an ORM of some kind (even a basic one like raw Linq to Sql) rather than stored procedures except maybe for predefined reports or similar but again it's really a case-by-case basis.

score 1 · Answer 18 · answered Apr 20 '12 at 12:50

I agree with Mark that the community has really been moving away from stored procedures for quite some time now. While many of the points the original poster raised why we may want to use SPs were valid at one time, it has been quite a while and, as another poster said, the environment has changed. For instance, I remember one argument FOR using SPs 'back in the day' was the performance gains achieved because their execution plans were 'pre-compiled' while dynamic SQL from our code had to be 're-compiled' with each execution. This is no longer the case as the major databases have changed, improved, adapted, etc.

That said, we are using SPs on my current project. The reason is simply because we are building new applications on top of an existing database that still supports legacy applications. As a result, making schema changes is very difficult until we turn off the legacy apps. We made a conscious decision to design our new applications based on the behavior and rules required for the application and to use the SPs to temporarily interface with the database the way we'd like it to be and allow the SPs to adapt to the existing SQL. This goes to a previous poster's point that SPs make it easier to make changes at the database level without requiring changes to the application code. Using SPs as an implementation of the Adapter pattern certainly makes sense to me (esp. given my current project), and may be the only argument I can really see FOR their use today.

Fwiw, it is our intention to remove the SPs when the schema is updated. But, as with everything else in corporate development, we'll see if that ever happens! [grin]

score 1 · Answer 19 · answered Apr 06 '11 at 23:17

1

I want to also point out that stored procedures do use cpu time on the server. Not a lot, but some. Some of the work done in the work procedure could be done in the app. It's easier to scale the app layer than the data layer.

answered Apr 06 '11 at 23:17

Christopher Mahan

3,404

3

It's hard to scale a database? – JeffO Apr 07 '11 at 17:47
1

It's at least significantly more expensive (unless your on MySQL) and in many places I've worked getting another SQL Server Enterprise Edition license is like pulling teeth – ben f. Apr 07 '11 at 18:16
scaling database is no harder than scaling an app layer end of story – Brian Ogden Mar 23 '17 at 04:55

score 0 · Answer 20 · answered Feb 20 '14 at 18:40

I just wanted to make a concise overview of how I would recommend using stored procedures. I do not think they are a bad practice at all, and like others have said they should be used in the proper situations.

I can see problems where writing procedures for different applications can become confusing in functionality and separate the business logic of the application and result in the database becoming more disorganized and restrictive as well.

Therefore, I would use a stored procedure in relational data-oriented tasks specific to the database. In other words, if there is logic used for database operations that is consistent with the data for any application, a stored procedure could be used to keep the data stored consistently (makes sense). I think good examples of this are: consistent logging, consistent maintenance, working with sensitive information, etc.

Other tasks the manipulate the data to fit the needs of the application that follow the strong data model of the database, I think, should then be stored in another layer containing the business logic. In short, database specific data manipulation for consistency could use stored procedures, where the consistency extends past the database integrity schema model.

score -2 · Answer 21 · answered Apr 07 '11 at 09:26

-2

Besides distributing business logic needlessly, and tying you to a specific database vendor, I also firmly believe in using a technology for what it was intended. A database is just that, a relational data store. Use it to store data, nothing else.

Choose your tools wisely and you'll save yourself a world of hurt in the long run.

answered Apr 07 '11 at 09:26

Nico

99

if you're going to downvote then do so, but at least explain why. – Nico Apr 08 '11 at 06:37
probably because you're wrong. A SP doesn't mean you're writing code in there, just writing your data-access queries (in 99% of the cases I think). Besides, just putting triggers and constraints on the data model counts as 'code' - ie operational logic, not data. Hence my point that you're wrong. – gbjbaanb Apr 20 '12 at 11:47
Where do you do set transforms on your stored data other than in the database? – Chris Travers Mar 23 '14 at 03:57

Stored Procedures a bad practice at one of worlds largest IT software consulting firms?

21 Answers21

Some Observations

Wrong Question

What to do in your case?

My opinion on how not to use them

My opinion in how/where to use them

Linked

Related