Comments on: Just Say No to Manual CRUD

By: A Year in the Life of CaffeinatedCoder: Part 1 | Caffeinated Coder

A Year in the Life of CaffeinatedCoder: Part 1 | Caffeinated Coder — Wed, 07 Jan 2009 07:29:09 +0000

[...] June: SQL Is for the Birds: We finally take the ORM plunge at work and decide to use Castle’s Active Record as a replacement for our custom data access layer. I manage to get a good month of development time in before the project gets temporarily shelved to work on some legacy projects that took a higher priority. It was sad to have to return to writing raw SQL again, but the experience was positive enough to convince me to that ORM’s have progressed too far to still be spending time on doing manual CRUD. [...]

By: Ezone IntraBlog

Ezone IntraBlog — Wed, 18 Jun 2008 10:54:16 +0000

Just Say No to Manual CRUD…

…

By: Fervent Coder

Fervent Coder — Wed, 11 Jun 2008 01:49:47 +0000

@Joe – Fair enough.

By: Joe

Joe — Mon, 09 Jun 2008 16:22:08 +0000

@FerventCoder – “So the question comes down to what is more secure?”
No it doesn’t, at least not for me.
Forget I mentioned security. There are thousands of smart developers who can argue both sides of that fence.
Since I am interested in this movement by business application developers away from sprocs, I am going to make an effort to learn more about the security implications. This obviously is not the forum for me to do so.

There seems to always be things like this that come down the pipe and often get treated as a “must” only to fade or be the hallmark of hacky developers – see databinding. I compare this to nUnit. When I first heard about it I downloaded it, wired it up, played with it for a day and when done….told all my developers to get it and switch our testing methodology to be inline with this tool. nHibernate had no such impression. In a year or so I bet I try again to see if anything has changed about the technoogy or me that makes it become a must for me.
-Joe

By: Fervent Coder

Fervent Coder — Sat, 07 Jun 2008 05:06:46 +0000

Darn double negatives… and an extra “a” to boot. Amending comment…

With that example, I think you can figure out why I don’t believe sprocs are a good security model at all for databases.

By: Fervent Coder

Fervent Coder — Sat, 07 Jun 2008 04:49:25 +0000

@Joe – So the question comes down to what is more secure, a Sproc or a parameterized query? Some say they are equivalent. I say a parameterized query is because you manage your permissions at the object level (tables, columns, etc). I will get into that in a moment.

I would almost want to question what standards the 3rd party security auditors were using when they mandated Sprocs for you. As far as permissions go, with MSSQL Server 2005, you can manage security down to column access in tables. That means you could manage security down to the column level should you want to go down that far. My preference is a the table level unless there is a good reason to be more secure. You give up that security the minute you grant exec on sproc (unless you specifically use deny permission to ensure certain things don’t happen).

I do have an extremely good question for your 3rd party auditors. What permissions do you get when you grant exec on a stored proc? Anything you want that Sproc to do. We use naming conventions like usp_name_Select, usp_name_Update, etc, to help understand what the sproc is doing. What guarantee do you have that a particular sproc is doing nothing more than a select and not updating or deleting rows? Nothing once you grant that exec. Just trust.

Recently we had something happen that I am not at liberty to discuss, but if you let your imagination run wild, you can think of some possible scenarios.

With that example, I think you can figure out why I don’t believe sprocs are not a a good security model at all for databases.

Also, the cached query plan is not an argument since MS SQL Server 2000 made the difference in performance negligible (sp?).

By: Code Heaven

Code Heaven — Sat, 07 Jun 2008 02:35:40 +0000

CodeHeaven’s Required Reading – June 6, 2008…

These are all blog posts I flagged as being particularly interesting, but ones where I may not have anything…

By: Joe

Joe — Fri, 06 Jun 2008 21:04:49 +0000

I have yet to jump on the no-stored-proc-gotta-have-ORM bandwagon.
I downloaded nHibernate and played with it for a day. I hooked up a simple table to a simple object and then shrugged my shoulders and never looked back.
I have no great data translation pains and two 3rd-party security audits specified that we use stored procedures. Not sure how we would manage security for inserts, deletes and updates via views anyway.

The pain I do have though is in regards to user interfaces which I hate to write and business objects that I hate to corrupt with CRUD methods when that is completely separate from business methods.

Would appreciate your feedback.
-Joe

By: Robz

Robz — Fri, 06 Jun 2008 14:58:30 +0000

Let me know if you run into any snags. Bitter Coder has some great tutorials on it!

By: Russell Ball

Russell Ball — Fri, 06 Jun 2008 13:38:26 +0000

@Robz – I’ve actually got some time set aside today to play with Windsor…:-)