| Author |
Topic |
|
durand26
Starting Member
3 Posts |
 Posted - 2012-05-31 : 13:46:02
|
Hi,I'm trying to work out a nice template of best practice for all my stored procedures, so that I get into the habit of best practice. Here's what I've come up with. Have I been overly defensive? Have I overlooked some feature of SQL programming that renders much of my code unnecessary? What does everyone else think?I really appreciate your feedback! :)****CREATE PROCEDURE usp_ProcedureName ( @Variable1 int, --First variable @bVictory bit OUTPUT, -- Returns 1 if we get to the end of the procedure with -- no errors. Returns 0 if there was an error. This allows -- any code that calls this stored procedure to know whether -- it worked or not, to make it easier to handle errors up -- the chain. @ErrorMessage varchar(100) OUTPUT -- If there is an error, this variable captures the -- description. )AS--The whole piece of code should be in a Try/Catch block for proper -- error handlingBEGIN TRY BEGIN TRANSACTION --1) VALIDATE INPUTS VIA A CALLED STORED PROCEDURE -- Check that the variables are actually valid, to prevent -- Little Bobby Tables errors. (See xkcd.com/327) --a) Execute the procedure that validates our inputs EXEC usp_ValidateVariable1 @Variable1, @bVictory OUTPUT, @ErrorMessage OUTPUT --b) See if the validation checked out. (If it did, bVictory -- will equal 1. If it didn't, it will equal zero, and -- the error message will be in @ErrorMessage) IF @bVictory <> 1 BEGIN RAISERROR(@ErrorMessage, 11, 1); END --2) ACTUALLY RUN THE CODE YOU WANT TO RUN <Code goes here> --3) DECLARE VICTORY -- If we get this far in the code without errors, then let's -- set our error-handling variables to show the code that -- called it that we made it. SET @bVictory = 1; SET @ErrorMessage = 'Success'; COMMIT TRANSACTIONEND TRYBEGIN CATCH --1) Set our variables @bVictory and @ErrorMessage to show the -- calling code that we didn't make it after all SET @bVictory = 0 IF @ErrorMessage IS NULL BEGIN SET @ErrorMessage = ERROR_MESSAGE(); END --2) Log the error EXEC usp_LogError @ErrorMessage --3) Roll back the transaction ROLLBACK TRANSACTIONEND CATCH |
|
|
Lamprey
Master Smack Fu Yak Hacker
4614 Posts |
Posted - 2012-05-31 : 14:27:02
|
| I'll keep my comments short.1. I'd never pre-fix the sproc name like that.2. I don't see any need to return boolean/string values for status/errors. That is why we have (semi) structured error handling (TRY-CATCH, RAISERROR) and/or a RETURN status. |
 |
|
|
durand26
Starting Member
3 Posts |
Posted - 2012-05-31 : 14:48:20
|
| Excellent! Thanks Lamprey. I didn't know about RETURN statuses.Do most SQL developers validate their inputs in stored procedures like I've done here? Or is it better to leave that to the validation built into the underlying table?If my DNA is 37 megabytes, and the Adventureworks database is 220 megabytes, no wonder I don't understand it. |
|
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2012-05-31 : 15:50:45
|
| What type of validation are you trying to do here? Is it some kind of business rules or is it basic validation of data passed like datatype, format etc? if latter, I would be doing it using client side validation logic at front end and will not need a db call for that.------------------------------------------------------------------------------------------------------SQL Server MVPhttp://visakhm.blogspot.com/ |
|
|
|
Bustaz Kool
Master Smack Fu Yak Hacker
1834 Posts |
Posted - 2012-05-31 : 19:48:51
|
| As a general rule, we always have the first line of a sproc be "set nocount on"=================================================There is a foolish corner in the brain of the wisest man. -Aristotle, philosopher (384-322 BCE) |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
durand26
Starting Member
3 Posts |
Posted - 2012-06-01 : 04:55:55
|
Thanks for your valuable feedback guys!Visakh: It was mostly to stop SQL injections. Eg, to stop someone filling out the name section of a web form with Fred'); DROP TABLE Customers;-- which could cause our customer table to be dropped.It would be nice if the client side application developer puts enough data validation to stop this sort of input, but surely we as database developers should sort it out too, right? If not, is there another way we design our sprocs to prevent SQL injections?Bustaz Kool: Thanks! I'll add thattkizer: Thank you! I'll shorten my transactions. :) |
|
|
|
Lamprey
Master Smack Fu Yak Hacker
4614 Posts |
Posted - 2012-06-01 : 11:20:16
|
quote:
Originally posted by durand26
? If not, is there another way we design our sprocs to prevent SQL injections?
Don't use Dynamic SQL or, possiblu, use sp_ExecuteSql. |
|
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2012-06-01 : 11:44:08
|
quote:
Originally posted by durand26
Thanks for your valuable feedback guys!Visakh: It was mostly to stop SQL injections. Eg, to stop someone filling out the name section of a web form with Fred'); DROP TABLE Customers;-- which could cause our customer table to be dropped.It would be nice if the client side application developer puts enough data validation to stop this sort of input, but surely we as database developers should sort it out too, right? If not, is there another way we design our sprocs to prevent SQL injections?Bustaz Kool: Thanks! I'll add thattkizer: Thank you! I'll shorten my transactions. :)
its not a problem to do it at sql end but only thing is it will still result in db call even if input values violate validation rules. Thats why its best implemented at client side using validation functions------------------------------------------------------------------------------------------------------SQL Server MVPhttp://visakhm.blogspot.com/ |
|
|
|
|
Stored procedure template