tags:

views:

1842

answers:

14
+10  Q: 

ORM vs Handcoded Data Access Layer

I'm a bit scared to ask this question as it may start a religous war so I want to be really clear on what I'm looking for. I'm looking for a reason(s) why you would or have jumped one way or the other and also for items to add to my lists. I'm looking for the big ticket, big bang items. Also, items specific to a product, maybe, if they are really relevant. At this point I'm trying to evaluate ORM vs Manual not product A vs product B.

ORM Advantages

 - Quick to code and low maintenance (in some/most scenarios) 
 - Additional features for "free" (no developer effort)

Hand Coded Advantages

 - More Efficient (at runtime, maybe not at dev time?)
 - Less layers of complexity
 - Most ORMS seem to struggle with being retricted to sprocs only

In the interests of full disclosure, I really don't like the idea of "something" executing code against my database that I can't directly modify, if I see fit but I can see the potentially massive development time advatages of an ORM.

Its probably also worth noting I'm in a .Net world

[edit] (the question at http://stackoverflow.com/questions/494816/using-an-orm-or-plain-sql seems to answer many of the questions and reinforce the point about performance)

So, to alter my question slightly

Has any built an app using an ORM in the early stages and then gradually replaced with with a handcoded DAL? What were the pitfalls of this approach?

[Further Edit - getting to the heart of the problem now] Having a website be able to execute any SQL against my database is scary. If all access is through sprocs my database lives in nice, safe, comfortable isolation. Using exclusively sprocs removes a lot of, if not all, SQL injection attack vectors. Any comments on that?

+1  A: 

I have struggled with this for a few years. Looked at a lot of things. And have over the last 3 months realized "why am I wasting all this time on this". I kind of view the ORM as a solved problem. I would rather trust some team that has complete focus on ORM to write an ORM layer than me. Mentally, I'm just ready for new challenges.

My choice is NHibernate. I'm really a newb to this right now. But I like the potential to use Fluent NHibernate or Castle ACtiveRecord also. This seems to be where the mindshare is.

But not sure what I would do in an "everything is a sproc" world.

tyndall  2009-02-19 03:03:44
+4  A: 

A few weeks ago I started development on a new project. I had complete control over the tools I could use. I started with db40 because I wanted to eliminate this question altogether; I just wanted to persist my objects directly, forget about ADO.NET or OR/M. But db40 had problems so I ha to abandon it.

My next choice was ADO.NET because I thought it would be fast and easy. But I had to write way too much code, use too much "string sql" and it was just a chore altogether. I mean, it was a royal PITA and after coding two repositories with it I wanted to cut my wrists.

My third choice was NHibernate. I have had previous problems with NHibernate in a situation where I needed to use disconnected objects (such was the case this time as well, hence why it took me three tries to get to it). But that was NHibernate 1.2. This time I got the 2.0 binaries and had zero problems with updating disconnected objects. I also had to write way fewer lines of code and it was super-simple when I needed to refactor things, which was probably most important since my design changed rapidly.

I'm sold on NHibernate now. It appears highly optimized as well. Honestly, I can't find a negative to it. And there's no stored procedures.

I know it's my OR/M of choice going forward and I'll never write straight ADO.NET again.

Chris Holmes  2009-02-19 03:06:55
I wouldn't consider no sprocs as a positive. If you need to manipulate large amounts of data, the database is the place to do it
Frustrating Developments  2009-02-19 03:40:28
You can use Sprocs with nHibernate.
Webjedi  2009-02-19 14:26:31
A: 

You don't need to abandon your SPROCs or hand crafted SQL with a good ORM like nHibernate.

I've replaced my ORM data access methods after the fact, it's not hard at all, it's the best of both worlds.

Webjedi  2009-02-19 03:07:35
+8  A: 

We initially wrote an app using JPA ever since the day it went into production we have regretted it. The amount of database calls being made by the ORM were astronomical, so we have now started the process of piece-meal rewriting the application using good ol' fashioned JDBC utilizing Spring's JDBC helper classes. The pitfalls of starting with an ORM is that we spent a good deal of time learning JPA and at the end of the day we have to replace it with JDBC so our application can be more scalable without adding 3 other nodes to our Oracle RAC. So if you balance it out, the control and precision of JDBC was worth the extra lines of code you have to write. Also, most people do not understand that SQL is not something that can be generated and expected to perform. It is something that has to be written and tweaked to gain maximium performance.

Nick  2009-02-19 03:15:15
Totally agree re: your comments about people not understanding SQL
Frustrating Developments  2009-02-19 03:39:23
Again I have to say you aren't stuck with the SQL it generates. It can be replaced easily. If you could get 100% of your data access handled for you, but have to tweak 10% of those queries to get the best perf out of it...you still win with an ORM.
Webjedi  2009-02-19 21:34:57
It's not simply about performance, Webjedi. If you need multiple objects to come back in a header with a couple of details for instance, I bet 100% of ORM's will make 3 database calls. However, with JDBC, I can get all that data in one call. Which do you think will scale better?
Nick  2009-02-20 00:33:08
I'm pretty sure with some helper tools like Rhino Commons the same can be achieved with nHibernate. And even if you can't you're not violating and law that says you can use an ORM for *most* of you data access and leave the wonky stuff to direct data access. Just saying it's not all or nothing.
Webjedi  2009-02-20 01:11:26
It's possible that, with enough tweaking and poking, it can be made to work. But by definition it's an additional abstraction layer with generated-not-written code, plus the hacks. Not everyone thinks DALs are so bad that they need avoiding.
le dorfier  2009-04-27 02:54:18
Alex Beardsley  2009-04-27 03:06:39
In my case, it *is* all about performance... I started off with an ORM and ended up with an app that is too slow for my customers. Sometimes ORM technology leaves you in a position where optimizations are very tricky.
Mark  2009-09-02 12:33:04
+3  A: 

I've been writing and maintaining my own ORM for 8 years now. It started in Java, then translated to C#. I can't imagine writing any database backed system without it. It is way simpler than NHibernate, and doesn't have all its features but it gets the job done and it is quite fast even though it uses reflection extensively, since it replaces XML configuration with reflection over the DAO class definitions.

I'm quite happy with it, and would not use any other approach.

EDIT: regarding SQL injection attacks: a recent system I developed using this ORM was extensively audited and absolutely no injection was permitted. The reason is simple: it generates SQL on the fly and always uses parameters, no string concatenation.

Otávio Décio  2009-02-19 03:16:20
Good point about it using parameters
Frustrating Developments  2009-02-19 03:41:06
A: 

I have used Castle Project's Active Record implementation with NHibernate for a personal project. The project was never deployed, partly because of my inability to work with the ORM choice that I made.

The reason that I decided to use ORM was because I wanted the ability to switch from SQL Server to MYSQL without changing my code. In real projects the decision to use SQL server is already made for me, and it is easier to just write datalayers in the traditional 3-tier way when you know that the database won't change. But for personal projects I use shared hosting, and MySQL is a cheaper solution.

The reason I went with Castle was because it was very easy to use. With the activewriter plugin for visual studio, I was able to generate my classes and database using a designer (kind of like the linq to SQL designer), and it seemed to fit well with my mental model of how the ORM should dictate your application architecture.

The problem that I had with that ORM was that I wasn't able to find information on how to properly optimize it. It was making extremely large calls to the database. (The SQL query generated to get a user was 1mb of text when I logged it.)

So, I using the ORM, I saved myself a lot of work upfront, but I ran into a wall when I tried to fix the problem with the framework generating too much SQL. (On which I am still slowly working).

Even though I didn't find the solution perfect, I would still try ORM for other personal projects, because it's just me, and I want to spend my project time on fun code, not datalayers.

At work, however, I would probably not be too quick to suggest that we use an ORM, before I was an expert (Maybe after I get several working personal projects under my belt).

NetHawk  2009-02-19 03:45:37
+4  A: 

I've used Subsonic for a couple of largish projects. I'm not advocating the use of one ORM over another, but I wouldnt do another database-related project without one. The ability to regenerate the entire db access layer whenever I change the database structure, the ability to add features in one place that affect the entire DB layer.

The thing is that you have to understand how it interacts with the database, otherwise you run the risk of writing (severely) under-performing code. Your ORM tool might give you a nice object-oriented view of your data, but you might find you're streaming whole tables to the client in order to do simple processing. The database is good at relating and filtering data, so make sure it still has that job. Ironically, Subsonic's lack of joins (in the version I used), helped with that, because it forced me to create DB Views to combine data where needed.

A friend of mine worked with a guy who developed an in-house ORM tool. It had the nice feature of locally caching everything that you could possibly want from the database, done by walking through the foreign keys. The downside was that reading one column from one row in the DB resulted in an excess of 11,000 select statements.

geofftnz  2009-02-19 03:48:33
you've highlighted my main concern with ORMs. I don't really know what they are doing to get my data
Frustrating Developments  2009-02-19 04:03:10
This was my concern also. The first thing I did was fire up SQL Profiler (MSSQL). My concerns evaporated.
geofftnz  2009-02-19 04:25:26
Yeah there is definately this incorrect assumption that once you use an ORM you're A) stuck with the SQL it makes and B) that SQL is bad. On both counts it's a bit of misinformation. If the query is bad, make your own and move on.
Webjedi  2009-02-19 21:32:47
A: 

Stored Procs don't remove the risk of sql injection. The person that is likely to concat queries in code is just as likely to do so in a stored proc. And any good ORM doesn't do string concats anyway so there is no issue.

Craig  2009-02-19 03:49:34
Except that this is _my_ database and if you (bad/junior) developer wants to do something to the database, you tell me what you want and I create the sprocs.
Frustrating Developments  2009-02-19 04:01:41
+1  A: 

I have inherited a web app which was created with NHib and MyGeneration, unfortunately didn't get the svn repo, and no longer have the initial templates (arrggg).

Have kept nhibernate for the Create/Update/Delete back end stuff, but the front end (read only) was somewhat witlessly implemented, and runs like a 2 legged dog, and is now being rewritten in plain old ADO.NET, and goes up to 10 times faster.

Am not saying that this is due to NHibernate, it is due to developers not knowing how much crap they were sending along the wire, and assuming that blindly using a tool would mean they didn't have to think about it.

For the purpose of readonly queries, you can often make them much more efficient writing it by hand.

For things that have to write to the DB, is generally easier, and not that much slower, to let a decent ORM do it.

My personal preference is for SubSonic, which I have found performs pretty well for medium sized projects, and if you find a bottleneck, you can work around it by hand.

Tools are great, and anything that gives me more weekend is doubly great, but there is no substitute for the tool between your ears.

seanb  2009-02-19 04:08:18
A: 

nice question and nice answers. I've just got involved with these issues too. I prefer an ORM like SubSonic to hand coded DAL.

Shiny  2009-04-27 02:43:37
A: 

Comment on your Stored Proc question. No matter how the functionality gets written, DAL, ORM, stored procs, there will be SQL involved. If you use stored procedures you write the SQL inside, and it's relatively easy to build in useful abstractions. If you use DAL, you write the SQL, but in practice it's more likely to be unabstracted SQL with increased exposure to injection. If you use ORM, the tool writes the SQL (which you are nonetheless ultimately responsible for - including injectability). IMHO, the fewest moving parts (especially ones you know and understand) the better.

le dorfier  2009-04-27 02:59:14
A: 

Okay, this was for a PHP application, not a .net one, but I think the same qualities are important.

I re-wrote a PHP intranet app some years ago that was heavily database-based. As is typical of many PHP apps that have "just grown", it didn't use any sort of ORM and had a lot of duplicated code, much of it assembling similar queries in different ways.

I had a cursory look at some ORM frameworks, but they all had a big problem: they would have required customising them to work in our structure. The big missing component was database scalability. So I wrote my own handler. Then it was a simple matter to keep going and build our own object-based data layer. We got to implement features we wanted, too, that did what we needed.

In retrospect, this was a hugely useful exercise for me. It means I now know how ORM layers work and how they have to work. It was also bucking the trend of a lot of database scaling, because it raised the problem up into the application, where the knowledge about the data was.

staticsan  2009-04-27 03:06:42
A: 

I have been VERY successful simply using a DataSets in .Net. We have a SOAP endpoint that will first validate the input with an .XSD. Then, you can use a rules engine to do some validation. Then...

If the request is to insert data:

  • Use GetXml() on the DataSet to convert to XML.
  • Send the XML to a sproc that uses OPENXML in SQL Server.

If the request is to select data:

  • Write a sproc to spit out the data with multiple SELECT statements.
  • Load that data into a DataSet (being sure to build "nested" relationships where needed).
  • Use GetXml() on the DataSet to covert to XML used in SOAP.

I've used this process with a great deal of success in several production environments. It's fast and simple if you know you'll only use SQL Server.

User1  2009-07-10 21:21:13
A: 

Have you tried redbean? In development phase it's fluid and easy to use while in production mode (frozen) its fast. http://redbeanphp.com

 2009-07-30 06:26:46

related questions

Why @OneToMany does not work with inheritance in Hibernate
Adaptive Database
Any thoughts on DevExpress XPO ORM Package?
Detach an entity from JPA/EJB3 persistence context
NHIbernate: Difference between Restriction.In and Restriction.InG
Generating database tables from object definitions
Simple Object to Database Product
NHibernate vs LINQ to SQL
Hibernate saveOrUpdate with another object in the session
(N)Hibernate Auto-Join
Search strategies in ORMs
Switching to ORMs
updating an auto_now DateTimeField in a parent model w/ Django
Why do we need entity objects?
ADO.NET Entity vs NHibernate
Should DB layer members be static or instance?
LINQ to SQL Mapping From Money to Double
C# Database Access: DBNull vs null
PHP + MYSQLI: Variable parameter/result binding with prepared statements.
Best .NET Solution for Frequently Changed Database
Configurable Table Prefixes with a .Net OR/M?
Class::DBI-like library for php?
Querying like Linq when you don't have Linq.
What are your favorite .NET Object Relational Mappers (ORM)?
Subsonic Vs NHibernate