views:

203

answers:

5

I have to develop database development standards for our organisation for SQL Server and any code that interfaces to it. The code used can be anything from .NET code to VBScript to SQL Server Jobs.

Does anyone have a good link for this kind of thing?

My quick list is follows:

1) Naming Conventions
-- Stored Procedures usp_AppName_SPName
-- Functions usf_AppName_SPName
-- Indexes IX_TableName_IndexName
-- Tables AppName_TableName
-- Views VW_Name


2) Allocation of permissions to roles, never directly to users or groups
3) Allocation of roles to groups, never directly to users
4) Use of minimal permissions
5) No inline sql in code, always use SP or Functions
6) Use of explicit transactions
7) Readonly transactions where applicable
8) Always use explain plans to ensure sql is performant.

What other things do we need to cover? I am sure that there are lots of things....

+2  A: 

I have to take issue with your first item right off the bat. While I know a lot of people like to use prefixes for stored procedures, tables, and the like, I've never had much use for that convention. When you start to get a lot of stored procedures that all start with "usp_", and you click to the expand the "Programmability\Stored Procedures" folder in Management Studio, it can be rather unwieldly to navigate.

Instead, require a prefix to match the logical feature set/functional group. What those prefixes are will vary by application or database. Then if you want to distinguish a stored procedure from a table, add your "_usp" requirement as a suffix.

For tables: you want something in your naming convention to distinguish between Application data (lookup tables) and User data.

Joel Coehoorn
I'd add that views were originally intended as logical tables. The idea was that you could switch a table out for a view and everything would just work. It isn't so simple in practice, but a view-only prefix destroys whatever's left of the illusion.
Peter
+1: I agree, having spent more than my fare share of time adjusting window panes in order to navigate ridiculously large object trees, perhaps in part due to somewhat overzealous coders. My advice, keep it simple good old fashioned CamelCase and Joel, get your self a widescreen monitor ;-)
John Sansom
+3  A: 

Since we are talking best-practices I'd throw in a few things to avoid:

  1. avoid use of xp_cmdshell
  2. avoid dynamic sql unless strictly necessary (such as for dynamic pivoting)
  3. avoid cursors (if not on temp tables)

P.S. Btw - I am doing all of the above ;)

JohnIdol
dynamic sql is a good one
russau
+2  A: 

Also consider using multiple schemas. Use AppName.TableName instead of AppName_TableName, where AppName is a schema. The AdventureWorks sample does this, for instance.

John Saunders
Thats a nice idea. Unfortunately we have SQL Server 2000 instances which don't really implement multiple schemas nicely. Definately for SQL Server 2005 tho.
GordyII
I recommend you not waste time on coding standards for SQL Server 2000. It would be unfortunate if software from the distant past were to prevent you from succeeding in the future.
John Saunders
A: 

Aren't roles and groups the same thing in SQL Server?

A few others...

  1. Avoid using UDFs in WHERE clauses

  2. Disallow direct SQL in applications (always use SPs)

  3. Use comment blocks in front of views/procs/functions including a revision history and/or revision date
  4. Use ANSI join syntax
  5. Limit use of triggers, especially for replicated tables
Joe
#3: Your procedures should be versioned! That makes a huge revision history comment block redundant.
Joel Coehoorn
When you version stored procedures, do you mean like usp_MYProc_V2 etc etc?
GordyII
Some of our users are segmented in Network Groups, such as Support, who are then allocated to a role, instead of having individual logins. Is there anyway to do that in SQL Server directly?
GordyII
He means, like in source control.
John Saunders
Oh right, that makes sense and it should be part of the standards. Thanks, good point.
GordyII
That reminds me about the other link I couldn't find for my answer last night, K. Scott Allens series of blog posts starting at http://odetocode.com/Blogs/scott/archive/2008/01/30/11702.aspx
kevinw
Our procs ARE version controlled. This does not obivate the need to have some information in the proc; you don't remove comments from code just because you checked it in.
Joe