Hi!
I'm kind of knew to Cold Fusion and Oracle, and I have had the job thrust upon me to develop some coding standards for a CF/Oracle intranet system. One of the questions I have to answer is whether it will be better to use stored procedures for retrieval functions, or dynamic SQL. Stored procedures will be used for all insert, update and delete functions. I think the database has several hundreds of thousands of records.
If anybody of you guys have an opinion about this, I will be really grateful to hear it (I did search through past messages but couldn't find anything like this one!). Issues such as security, performance, ease of maintainability, etc have all been brought up, but I am essentially torn between two opposing factions!
Thanks very much for your help.
Gary
Comments
: I'm kind of knew to Cold Fusion and Oracle, and I have had the job thrust upon me to develop some coding standards for a CF/Oracle intranet system. One of the questions I have to answer is whether it will be better to use stored procedures for retrieval functions, or dynamic SQL. Stored procedures will be used for all insert, update and delete functions. I think the database has several hundreds of thousands of records.
: If anybody of you guys have an opinion about this, I will be really grateful to hear it (I did search through past messages but couldn't find anything like this one!). Issues such as security, performance, ease of maintainability, etc have all been brought up, but I am essentially torn between two opposing factions!
In general, compiling your SELECT statements in stored procedures is a good practice. First, when you compile the procedures the SQL is parsed but when you pass in an SQL statement as a string the database must do the parsing step. Also, if you let higher levels of the system pass in arbitrary SQL statements then you leave your database vulnerable to SQL-injection attacks.
I've found it far easier to maintain queries in stored procedure because you don't have to worry about string formatting, quote escaping, and other such minutiae. It's also simpler, in our case at least, to update a stored procedure in the database than to patch a DLL on every machine using the system.
[size=5][italic][blue][RED]i[/RED]nfidel[/blue][/italic][/size]
[code]
$ select * from users where clue > 0
no rows returned
[/code]