| Author |
 Topic  |
|
|
durand26
Starting Member
Australia
3 Posts |
 Posted - 05/31/2012 : 13:46:02
|
Hi,
I'm trying to work out a nice template of best practice for all my stored procedures, so that I get into the habit of best practice. Here's what I've come up with.
Have I been overly defensive? Have I overlooked some feature of SQL programming that renders much of my code unnecessary? What does everyone else think?
I really appreciate your feedback! :)
****
CREATE PROCEDURE usp_ProcedureName
(
@Variable1 int,
--First variable
@bVictory bit OUTPUT,
-- Returns 1 if we get to the end of the procedure with
-- no errors. Returns 0 if there was an error. This allows
-- any code that calls this stored procedure to know whether
-- it worked or not, to make it easier to handle errors up
-- the chain.
@ErrorMessage varchar(100) OUTPUT
-- If there is an error, this variable captures the
-- description.
)
AS
--The whole piece of code should be in a Try/Catch block for proper
-- error handling
BEGIN TRY
BEGIN TRANSACTION
--1) VALIDATE INPUTS VIA A CALLED STORED PROCEDURE
-- Check that the variables are actually valid, to prevent
-- Little Bobby Tables errors. (See xkcd.com/327)
--a) Execute the procedure that validates our inputs
EXEC usp_ValidateVariable1
@Variable1,
@bVictory OUTPUT,
@ErrorMessage OUTPUT
--b) See if the validation checked out. (If it did, bVictory
-- will equal 1. If it didn't, it will equal zero, and
-- the error message will be in @ErrorMessage)
IF @bVictory <> 1
BEGIN
RAISERROR(@ErrorMessage, 11, 1);
END
--2) ACTUALLY RUN THE CODE YOU WANT TO RUN
<Code goes here>
--3) DECLARE VICTORY
-- If we get this far in the code without errors, then let's
-- set our error-handling variables to show the code that
-- called it that we made it.
SET @bVictory = 1;
SET @ErrorMessage = 'Success';
COMMIT TRANSACTION
END TRY
BEGIN CATCH
--1) Set our variables @bVictory and @ErrorMessage to show the
-- calling code that we didn't make it after all
SET @bVictory = 0
IF @ErrorMessage IS NULL
BEGIN
SET @ErrorMessage = ERROR_MESSAGE();
END
--2) Log the error
EXEC usp_LogError @ErrorMessage
--3) Roll back the transaction
ROLLBACK TRANSACTION
END CATCH
|
Edited by - durand26 on 05/31/2012 13:50:40
|
|
|
Lamprey
Flowing Fount of Yak Knowledge
3859 Posts |
Posted - 05/31/2012 : 14:27:02
|
I'll keep my comments short.
1. I'd never pre-fix the sproc name like that.
2. I don't see any need to return boolean/string values for status/errors. That is why we have (semi) structured error handling (TRY-CATCH, RAISERROR) and/or a RETURN status. |
Edited by - Lamprey on 05/31/2012 14:27:54 |
 |
|
|
durand26
Starting Member
Australia
3 Posts |
Posted - 05/31/2012 : 14:48:20
|
Excellent! Thanks Lamprey. I didn't know about RETURN statuses.
Do most SQL developers validate their inputs in stored procedures like I've done here? Or is it better to leave that to the validation built into the underlying table?
If my DNA is 37 megabytes, and the Adventureworks database is 220 megabytes, no wonder I don't understand it. |
|
|
|
visakh16
Very Important crosS Applying yaK Herder
India
48115 Posts |
Posted - 05/31/2012 : 15:50:45
|
What type of validation are you trying to do here? Is it some kind of business rules or is it basic validation of data passed like datatype, format etc? if latter, I would be doing it using client side validation logic at front end and will not need a db call for that.
------------------------------------------------------------------------------------------------------
SQL Server MVP
http://visakhm.blogspot.com/
|
|
|
|
Bustaz Kool
Flowing Fount of Yak Knowledge
USA
1440 Posts |
Posted - 05/31/2012 : 19:48:51
|
As a general rule, we always have the first line of a sproc be "set nocount on"
=================================================
There is a foolish corner in the brain of the wisest man. -Aristotle, philosopher (384-322 BCE) |
|
|
|
tkizer
Almighty SQL Goddess
USA
35020 Posts |
|
|
durand26
Starting Member
Australia
3 Posts |
Posted - 06/01/2012 : 04:55:55
|
Thanks for your valuable feedback guys!
Visakh: It was mostly to stop SQL injections. Eg, to stop someone filling out the name section of a web form with
Fred'); DROP TABLE Customers;--
which could cause our customer table to be dropped.
It would be nice if the client side application developer puts enough data validation to stop this sort of input, but surely we as database developers should sort it out too, right? If not, is there another way we design our sprocs to prevent SQL injections?
Bustaz Kool: Thanks! I'll add that
tkizer: Thank you! I'll shorten my transactions. :)
|
Edited by - durand26 on 06/01/2012 05:57:46 |
|
|
|
Lamprey
Flowing Fount of Yak Knowledge
3859 Posts |
Posted - 06/01/2012 : 11:20:16
|
quote:
Originally posted by durand26
? If not, is there another way we design our sprocs to prevent SQL injections?
Don't use Dynamic SQL or, possiblu, use sp_ExecuteSql. |
|
|
|
visakh16
Very Important crosS Applying yaK Herder
India
48115 Posts |
Posted - 06/01/2012 : 11:44:08
|
quote:
Originally posted by durand26
Thanks for your valuable feedback guys!
Visakh: It was mostly to stop SQL injections. Eg, to stop someone filling out the name section of a web form with
Fred'); DROP TABLE Customers;--
which could cause our customer table to be dropped.
It would be nice if the client side application developer puts enough data validation to stop this sort of input, but surely we as database developers should sort it out too, right? If not, is there another way we design our sprocs to prevent SQL injections?
Bustaz Kool: Thanks! I'll add that
tkizer: Thank you! I'll shorten my transactions. :)
its not a problem to do it at sql end but only thing is it will still result in db call even if input values violate validation rules. Thats why its best implemented at client side using validation functions
------------------------------------------------------------------------------------------------------
SQL Server MVP
http://visakhm.blogspot.com/
|
|
|
| |
Topic |
|
Stored procedure template
