What are the arguments for and against business logic in stored procedures?
I'm of the school of thought that says that as long as business logic:
- lives in one place
- where it is properly documented
- proper access is provided through services that can be loosely coupled
- through a published abstracted interface
I don't care if the logic lives in a stored procedure, in a J2EE middle tier, in a clips expert system, or wherever. No matter where you store our business logic the "law of conservation of misery" is going to guarantee that someone will say it was the wrong idea because component/repository X needs to be swapped out for technology/method Y.
+: SQL server sometimes optimizes the code
+: You are forced to pass parameters, which limits SQL injection issues
-: Your code depends on a single database (some dbs don't even have SP)
-: To change code you need to connect to database
-: Logic is not organized well
Personally I'm against it, but I had to use it once on a really busy website. Using SP in MS SQL brought huge benefits, but once I implemented caching those benefits were not so big anymore.
Against stored procedures: business logic in programming space
I place a high value on the power of expression, and I don't find the SQL space to be all that expressive. Use the best tools you have on hand for the most appropriate tasks. Fiddling with logic and higher order concepts is best done at the highest level. Consequently, storage and mass data manipulation is best done at the server level, probably in stored procedures.
But it depends. If you have multiple applications interacting with one storage mechanism and you want to make sure it maintains its integrity and workflow, then you should offload all of the logic into the database server. Or, be prepared to manage concurrent development in multiple applications.
I am thoroughly against it. One of the biggest reasons is the first reason earino stated - it lives in one place. You can not integrate it into source control very easily. It is next to impossible to have two devs working on a stored proc at the same time.
My other main complaint is that SQL is just not very good at representing complex logic. You have no concept of scope, code tends to be copy-pasted because there is a less ability to reuse code (as opposed to an OO language).
You have to give developers access to the database to develop there. In many organizations I have worked at the data people are in a different world than the devs, with different permissions, etc. Keeping the devs out of the database in these cases would be harder.
Business logic should be encapsulated in one place. We can guarantee that the logic is always run and run consistently. Using classes that all activity involving an entity on the database must run through we can guarantee that all validation is run properly. There is one place for this code and any developer on the project can easily open this class and see the logic (because documentation can and does get out of date, the code is the only reliable form of documentation).
This is difficult to do with stored procedures. You may have more than one sproc dealing with the same table(s). Chaining multiple sprocs together so that the logic resides in only one gets unwieldy. That is strike one. How do you determine "What are all of the business rules surrounding entity X" within the database? Have fun searching thousands of sprocs trying to track that down.
Number two is that you are tying your business logic to your persistence mechanism. You may not store all of your data in the same database, or some may reside in XML etc. This type of inconsistency is difficult on the developer.
Validation is difficult to perform if the logic resides only in the database. Do you really call a sproc to validate every field on your data entry form? Validation rules and business logic are close cousins. This logic should all be performed in the same place!
"You can not integrate it into source control very easily." - if you put the code that creates the stored proc into a script that's version controlled, that objection goes away. If you follow Scott Ambler's agile database ideas, that's exactly what you should be doing.
Not all developers are good data modelers. I can think of horrible schemas created by developers who thought that a dabbling knowledge of SQL made them database experts. I think there's a lot of value to having developers working with DBAs and data modelers.
If only one application uses the database, I'd say that business logic can appear in the middle tier. If many apps share the database, perhaps it's better to put it in the database.
SOA offers a middle way: services own their data. Only the service has access to the data; getting to data means going through the service. In that case, it's possible to put the rules in either place.
Applications come and go, but data remains.
One more reason NOT to store business logic in sprocs - limited scaling abilities of the DB. It is very common situation where your database is your bottleneck, that is why it is a good idea to take as much load of the DB as possible.
@Nick "I am thoroughly against it. One of the biggest reasons is the first reason earino stated - it lives in one place. You can not integrate it into source control very easily. It is next to impossible to have two devs working on a stored proc at the same time."
Not that I'm arguing for putting business logic on stored procedures (all the contrary). But these reasons you put forward make no sense. A stored procedure is simply a sql/DDL artifact that can be stored on source control, and which is also a deployment artifact (that is, something handed over to the dba for deployment, much the same way you would hand over your war/ear artifacts to the IT/deployment liasons.) One or more developers can work on the same store proc off source control just in the same way you'll do with plain old source code - by branching, versioning and merging.
Now, if the only copy of the store procedures (and the packages that contain them) only exist in the db, then obviously you cannot control that with source control (and all the problems associated to that). However, that's not a problem of store procedures, but a problem of ineptitude in regard of how to use that code. It is as equally a display of ineptitude as having only one copy of your source code living on production.
I've worked in systems with massive amounts of code, both Java and PLSQL/DDLs and they were all versioned on clearcase. They were all treated as source code that would be compiled and deployed with a strict process, with different teams working on them. Never had any problem as what you are describing.
There are context-specific reasons not to put bizness logic on store procs, but these aren't valid ones.
Some thoughts: Please note this is a Java centric response, but its the bulk of my recent (last 10years) experience
(1) Concurrent development by a (a large) team of developers. If you're application is sufficiently complex that each developer can't set up their own private version of the DB (with attended links/ref data/etc...)it is very difficult to have an entire TEAM of developers all working on the same set of PL-SQL (for example) packages at the same time stored in a shared DEVL DB? Then your stuck (my experience) with working in a DB with invalid procedures / mismatch of code to tables as people make changes...
As a Java architect, I think its much easier to have each developer have a private JBoss instance on their desktop and work easily on their own set of functionality, and integrating at their own pace without impacting everyone else ... which brings me to ...
(2) Continuous Integration toolsets While there exist some similar 'concepts' in the DB world, my experience has shown me that the combo of (i'm picking my current best-of-breed favs here):
- mvn - build system
- junit - automated unit testing
- nexus - repo manager (manages artifact's lifecycles version, snapshots and releases)
- hudson - ci build server
- sonar - static analysis tool / code coverage reports / ALOT more
Running a large project using all of the above (free tools) allows a consistent / easy way to deliver XP to the masses and enforce quality controls over a whole IT staff. Oracle / PL-SQL doesn't have the toolsets to match
(3) tools / libraries / etc... Java has access to an amazing set of services that other platforms cannot touch - some free, some not. even basic ones, like log4j (yes they have it for PL/SQL, but pulease...its not nearly the same) allows for things like allowing developers to create flexibly adjustable logging that can be changed on the fly (perfect for dubugging). Automated API documentation (via javadoc). Automated unit test coverage reports. Incredible IDEs (Eclipse) with integrated debuggers / autodeploy to app servers. An API to interface with every type of service under the sun, open source libraries to do ANYTHING, and 100% support by every vendor
(4) reuse of services. what someone commented on is true. If you have heavy duty data driven business rules then you can argue that these should live in the DB layer. Why? to prevent having the middle tier(s) all having to duplicate that logic.
But the same can be said for business rules that are not data driven or sufficiently complex that OO is a more natural choice. If you stick ALL business logic in the DB, then they're available only via the DB.
- What if you want to have validation done in the client or middle app tier and save a round trip to the DB?
- What if you want to cache read only data in the middle tier (for performance) and have business rules execute against the cached data?
- What if you have a middle tier service that doesn't require DB access, or you have a client that can supply their own data?
- What if the data dependent portion of the business rules then needs to access external services? Then you end with with fragmented business logic that looks like this:
i
retCode = validateSomeDate(date);
if (retCode == 1) then
evaluateIfCustomerGetsEmail(...)//probably more stored proc invocations here...
sendEmailMsg(....)
else if (retCode == 2) then
performOtherBizLogicStuf(...) //again, may need data, may not need data
triggerExternalsystemToDoSomething(...) //may not be accessible via PL/SQL
fi
I'm sure we've all seen systems written like the one above and had to debug them at 2AM. Its extremely difficult to get a coherent sense of a complex process when the business logic is fragmented between tiers, and in some cases it gets to be impossible to maintain.