Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Welcome to the new platform of Programmer's Heaven! We apologize for the inconvenience caused, if you visited us from a broken link of the previous version. The main reason to move to a new platform is to provide more effective and collaborative experience to you all. Please feel free to experience the new platform and use its exciting features. Contact us for any issue that you need to get clarified. We are more than happy to help you.

Re: Stored procedures vs SQL for SELECT queries

Hi!
I'm kind of knew to Cold Fusion and Oracle, and I have had the job thrust upon me to develop some coding standards for a CF/Oracle intranet system. One of the questions I have to answer is whether it will be better to use stored procedures for retrieval functions, or dynamic SQL. Stored procedures will be used for all insert, update and delete functions. I think the database has several hundreds of thousands of records.
If anybody of you guys have an opinion about this, I will be really grateful to hear it (I did search through past messages but couldn't find anything like this one!). Issues such as security, performance, ease of maintainability, etc have all been brought up, but I am essentially torn between two opposing factions!
Thanks very much for your help.
Gary

Comments

  • infidelinfidel Posts: 2,900Member
    : Hi!
    : I'm kind of knew to Cold Fusion and Oracle, and I have had the job thrust upon me to develop some coding standards for a CF/Oracle intranet system. One of the questions I have to answer is whether it will be better to use stored procedures for retrieval functions, or dynamic SQL. Stored procedures will be used for all insert, update and delete functions. I think the database has several hundreds of thousands of records.
    : If anybody of you guys have an opinion about this, I will be really grateful to hear it (I did search through past messages but couldn't find anything like this one!). Issues such as security, performance, ease of maintainability, etc have all been brought up, but I am essentially torn between two opposing factions!

    In general, compiling your SELECT statements in stored procedures is a good practice. First, when you compile the procedures the SQL is parsed but when you pass in an SQL statement as a string the database must do the parsing step. Also, if you let higher levels of the system pass in arbitrary SQL statements then you leave your database vulnerable to SQL-injection attacks.

    I've found it far easier to maintain queries in stored procedure because you don't have to worry about string formatting, quote escaping, and other such minutiae. It's also simpler, in our case at least, to update a stored procedure in the database than to patch a DLL on every machine using the system.


    [size=5][italic][blue][RED]i[/RED]nfidel[/blue][/italic][/size]

    [code]
    $ select * from users where clue > 0
    no rows returned
    [/code]

Sign In or Register to comment.