Do you prefer to use stored procedures or parameterized queries? What is your argument supporting your choice? Is one method really any better than the other in terms of performance, security, maintainability... etc?
+22
A:
From the .NET tag (and only from the tag) I'm going assume SQL Server here. Parametrized queries are excellent for projects that have a single application and modest security requirements. The require less effort to set up, and many ORM systems are going to use them if you like it or not.
On the other hand, if your database is handled by multiple applications and you need to enforce consistency of access, or if you need complex security (partial access to tables, either by column or by row or both) you should be using stored procedures. They allow you to enforce your security requirements and provide a consistent interface so applications don't violate your data rules.
As far as performance goes, I haven't noticed enough difference between the two to care these days: parametrized queries plan caching seems to work well enough.
Godeke
2008-10-23 17:40:53
IMO an excellent answer to a radioactive question.
cfeduke
2008-10-23 17:41:42
This is a very solid answer. I have seen many people swear that SPs are the only true answer to database CRUD, but it just seems like such unnecessary maintenance for projects with a smaller scope.
Jon Tackabury
2008-10-23 17:52:42
I think this is one of the best answers I have heard. In enterprise land with lots of DBs and lots of applications talking to them you need to put up some walls. But if you are just building a single application with a database no one else will ever see then stored procs are often overkill.
Craig
2008-10-24 02:40:33
because a single app with a single DB can turn into a) maintenance nightmare, or b) an enterprise app with lots of DBs. We've all written prototypes that end up released, I learnt that coding something quick and easy always comes back to bite later.
gbjbaanb
2008-10-24 09:06:15
When a single app db expands, I convert to stored procedures. The YAGNI principle means I expend effort only at the point a second app or complex security is required. That is less than half the time, from experience. In the long run, that is a time win.
Godeke
2008-10-24 15:55:30
I think it is fairly easy to work out early on if an app will turn into an enterprise app. Stackoverflow.com never will for example.
Craig
2008-10-24 22:25:40
I agree about YAGNI ruling the day as well; if you build the sprocs up front, you're probably going to build them wrong (or at least, suboptimally). Save the writing of them for when you find out through profiling (or security requirements) that you really need them, and have the data to back up your decision on what they should look like.
Paul
2010-06-10 02:32:40
A:
Stored Procedures are going to have better performance for complicated queries, this is because when you store the procedure the DB has the opportunity to compile the procedure in advance, with parametrized queries it need to be compiled every time it is run.
I think StoredProcedures are better for maintainability because they can create a clear interface to the database, you can use them to add a layer of abstraction to the database.
As for security I believe StoredProcedures (because they are precompiled) are less susceptible to SQL injection. That is of course unless you decide to use dynamic queries within the stored procedure (ugly).
luke
2008-10-23 17:42:18
"As for security I believe StoredProcedures (because they are precompiled) are less susceptible to SQL injection." - I'm not sure I buy into this. SQL injection isn't prevented because of the precompilation, it is prevented by using parameters.
Jon Tackabury
2008-10-23 17:46:06
Search SO for more discussion on this topic. SPs aren't the magic bullet they used to be.
casademora
2008-10-23 17:54:46
Let's say there would be a nasty bug that allowed you to make injection to a parameterized query. you wouldn't be able to send the injection to the procedure because it is precompiled.
Bogdan Maxim
2008-10-23 18:59:04
A:
Also related:
Are Stored Procedures more efficient, in general, than inline statements on modern RDBMS’s?
casademora
2008-10-23 17:56:00
+4
A:
Two questions you might ask yourself when consider this are:
If I have to make big changes to the way the database is structured, which would I rather rewrite?
and
When I'm debugging an issue, which would make my life easier?
rice
2008-10-23 18:28:18
A:
Hi,
Here are some advantages for Stored procedures:
In terms of maintainability:
One could use parametrized queries for simple/trivial operations, like retrieving data, or inserting data in table. Stored procedures are easier to maintain than inline queries if you have complicated (processing) code. Who would like to maintain program source code mixed with complicated SQL code in the same file. Also, almost all of the parametrized queries that are complex, can be found splitted in multiple string concats. Believe it or not, I've seen a SQL query concatenated in over 60 lines length.
In terms of speed:
First, you could think about the time it takes to compile the query and, also, the time it takes to create an execution plan (Both of them are sometimes longer than the execution time of the query). The stored procedures are compiled only once, unless specified, and the execution plan is stored, so a restart of the server wouldn't loose it. Also, for queries, the execution plans aren't created right away, but after a few calls of the same query (depending on the databse engine).
In terms of connection:
If you have a slow connection to the sql server, and large queries, you would probably be better off using stored procedures, as they generate less network traffic, and usually less roundtrips between the server and the client.
Also, there are also lot's of other advantages/disadvantages of using one over another, but the bid would be for stored procedures in most of the cases.
At this moment there is no advantage coming throug my mind for parametrized queries, but i would leave others to come with them.
Bogdan Maxim
2008-10-23 18:56:28
+1
A:
I like to use stored procedures because they help me write transaction oriented code rather than very object oriented code. They isolate the database logic. I don't have to compile anything to deploy them. So fixing them after deployment of the main app is easier. For simple queries that only read data, I just use parameterized queries. For anything that modifies the database or uses a complex select I use a stored procedure.
Stored procedures' big advantage in performance is keeping the data on the sql server and not having to transfer it to the client to process it. The whole idea of batch processing data and minimizing cursor use.
Stored procedures' big advantage in security is they can be secured via permissions like tables. Also you can enforce business level data security in them.
Will Rickards
2008-10-23 19:36:36
You can write transaction oriented code using OO principles. You should investigate the Unit of Work pattern.
Craig
2008-10-24 04:41:42
A:
Bogdan has said it already. Think of it in this way - do you want to write clean separation of application code and data access layer, or do you want to be like those vilified PHP programmers who embed the HTML throughout their scripts?
Placing SQL inside your application and calling the DB is easy - from an application developer's point of view, but SPs are the better approach in every way. Once you've created them, they're easy to debug (especially with the tools that come with SQL Server)
The ultimate approach is to design your application, and then give the required data access components to a DBA to code for you - he gives you an API to call, and the internal niceties of figuring out how to return the requested data is up to him, who is hopefully much more of an expert in how to make the data relationships work better than you could do.
Parameterized queries work, and there's no reason prohibiting them, but just like you take the time to properly design your app, you should take the time to put SPs in.
gbjbaanb
2008-10-23 21:53:02
Not using SPs does not mean you have to scatter SQL code throughout your app. That is an urban legend.
Craig
2008-10-24 02:43:54
no, but that doesn't mean people code them in a properly modular fashion. SPs do enforce the correct discipline though.
gbjbaanb
2008-10-24 09:00:07
Stored procedures enforce *nothing*. Every seen spaghetti code with cursors operating against a denormalized database? If not, you are verrrry lucky. People enforce good design, garbage can be written in every language.
Godeke
2008-10-24 21:06:20