The answer to this question may seem obvious – for a secure, well-performing application, of course we all need them!
But what about all those great legacy applications that are littered with embedded SQL? What if we are asked to bring these into the brave new world of rich interfaces and mobile apps (plus those still glued to your traditional PC)? I have seen plenty of applications with MSAccess and MySQL back-ends. When scaling these up, do we really have to create a plethora of stored procedures when all that embedded SQL blinks winningly up at us to be used as-is? This question can be equally posed for a new application, where developers with SQL experience but lacking the know-how to use stored procedures, gamely rush into creating the SQL while coding. And what about dynamic SQL? How do we deal with that?
OK, so let’s rewind… we know that stored procedures bring enormous benefits:
- Increased performance – the SQL is pre-compiled, unlike embedded or dynamic SQL
- More secure – execute access given to the stored procedures only – direct access to tables and views are denied.
- Better separation – the database access is contained within one layer, rather than scattered throughout the application UI code.
- Easier maintenance – wholesale change is easier to apply to a number of stored procedures rather than searching through reams of application code.
- Easier performance tuning – with the separation described above, it is easier to examine the performance of a stored procedure in isolation from UI code and fine-tune it as necessary.
- Easier testing – stored procedures expose an additional area of testing thereby catching bugs in a more timely manner.
And the drawbacks?
The main drawback is the increased development time and the increased skill required to build the queries (but is this a bad thing for your important application?).
As for dynamic SQL – there certainly are situations where we may want this, e.g. building a complex filter from the UI, which don’t fit the pattern of simple parameters for stored procedures. But we can still ensure the database access is encapsulated within the stored procedure by parsing strings or using data (e.g. in table variables) and I would argue this is best practice.
So it looks like we should always aim to build our data access layer using stored procedures. But what about those drawbacks?
OK, it’s time to get real – stored procedures are not complicated – In fact they are just the same as your embedded SQL but embedded in a server-side procedure instead. That means there’s more code to write. In fact quite a lot more code as we can add auditing, error handling and security checking, amongst other very useful things. And we need a version for each CRUD action.
But, after having written many stored procedures it becomes apparent that there is an enormous amount of repetition. In fact stored procedures settle into a very definite and predictable pattern which is pretty irritating if you have to code them individually from scratch, so much so that you’d think you were missing a trick. And you would be, because let’s face it, you can generate the procedures directly from the underlying data model (i.e. the table definitions and the relationships).
In fact there is often code to generate dynamic SQL from the underlying schema within applications. The leap is to change this dynamic code such that it generates the stored procedures as part of the overall development process.
The stored procedure CRUD pattern laid bare (Coming Soon!)
Other (more) entertaining musings on generating stored procedures