| Author |
Topic |
|
AskSQLTeam
Ask SQLTeam Question
0 Posts |
 Posted - 2003-07-22 : 07:38:38
|
| inquiringuser writes "We have an application that runs across a wide platform of databases. To support this we have kept the use of our SQL to what we consider to be a very vanilla approach. For example, we use no stored procedures, we do not rely on database security, all our security is application driven. It is the philosophy of one group within our company that because of this approach we can guarantee that our application will run without any problems on SQL Server 2000 regardless of what service packs are installed. This group feels that there is nothing that is service pack driven that would cause our transactions with the database to fail. Therefore, it is the group's opinion that we do not need to keep in our testing enviornment different versions of SQL Server with different service packs, and can unilaterally make the claim to our customers that we are able to support any service packs regardless of the fact that we do not have the service pack installed and we have not tested against them. I am trying to gather enough information to either support this theory, or debunk it if that be the case." |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2003-07-22 : 07:54:37
|
quote:
For example, we use no stored procedures, we do not rely on database security, all our security is application driven.
This approach is the best way to write a completely unsecure and easily hackable database application. It is prone to SQL injection abuse:http://www.sqlteam.com/SearchResults.asp?SearchTerms=injectionAnd by not using security in the database itself, if someone bypasses the application they can get full and unrestricted access to the data.quote:
It is the philosophy of one group within our company that because of this approach we can guarantee that our application will run without any problems on SQL Server 2000 regardless of what service packs are installed. This group feels that there is nothing that is service pack driven that would cause our transactions with the database to fail.
If your group's philosophy is to do the easy thing, and avoid properly maintaining their code and its security, you may point out that Microsoft used to do the same exact thing, and was hammered by Code Red, Nimda, SQL Slammer, and god knows how many Outlook viruses and worms. It's not a practical approach to application design if you want to stay in business or maintain a good reputation.quote:
Therefore, it is the group's opinion that we do not need to keep in our testing enviornment different versions of SQL Server with different service packs, and can unilaterally make the claim to our customers that we are able to support any service packs regardless of the fact that we do not have the service pack installed and we have not tested against them.
Regardless of the security issues aside, that's a great way to open yourself to liability issues if someone does run your software on a different service pack and it blows up. To make that kind of claim without actually testing it is not only stupid but possibly criminal.Does your group's philosophy also involve the taking of many strong recreational substances?  They seem to do most of their application design under their influence. |
 |
|
|
JimL
SQL Slinging Yak Ranger
1537 Posts |
Posted - 2003-07-22 : 09:20:29
|
| I agree with Rob, your company’s philosophy is almost the exact opposite of what I would consider correct database and security design.Just a couple of points.By not using Stored Procidures, Views and Functions you not only hurt security and have to do a great deal of repetitive work on the application side. But you have slowed down you data access as you must load all of the data to the App. before processing. By not keeping up to date with current Versions, Service Packs and patches you open the door for hackers and Viruses. (ever heard of the WORM). I am trying to be professional here but what I really want is to go give your (Team) a swift Kick in the pants. JimUsers <> Logic |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-07-22 : 15:37:29
|
 Wow inquiringuser, you are doing exactly what is not recommended. Just because you are using a vanilla approach (I would call it a Hell approach) doesn't mean that it supports all service packs. The service packs contain fixes for bugs. A vanilla approach would encounter the bugs just like other approaches.Tara |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-07-22 : 15:54:20
|
| I would also like to add that the service pack has the same effect on T-SQL if it is in a stored procedure or not.Tara |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2003-07-22 : 16:05:33
|
| Do you guys use Joins?foreign keys?indexes?- Jeff |
|
|
|
graz
Chief SQLTeam Crack Dealer
4149 Posts |
Posted - 2003-07-22 : 18:01:23
|
| Columns?Tables?===============================================Creating tomorrow's legacy systems today.One crisis at a time. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-07-22 : 18:05:59
|
| Graz, I have a question about "Ask SQLTeam". How does it work and yes I read the description of how it works? Do the questions just get posted in the forums and they need to check back later to see if it has been answered? Do you actually respond directly to them sometimes and other times put it in the forums? I'm just wondering how inquiringuser is supposed to know how bad this is. If he/she is expecting it to be e-mailed, then he/she might think that no one answered the question.Tara |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2003-07-22 : 18:54:58
|
Yes, they get posted in the forums, but it usually takes a day or two (3-4 if they post near the weekend). It is incumbent on the poster to check the forums, we do not send them an email notification even if they ask for it (a few do, though less than in the past) I don't think it's even possible for them to get an email when it's posted (graz? yes? no?) because of how the email is configured. The idea is that if you want or need an immediate response, you would register and post it in the forums, since it will be swarmed over answered by our ravenous, posting-addicted knowledgeable forum participants rather quickly.  |
|
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2003-07-22 : 21:08:09
|
| Lol - is this a real company or a joke.>> and can unilaterally make the claim to our customers that we are able to support any service packs regardless of the fact that we do not have the service pack installed and we have not tested against them.That's an easy one - some features just do not work until fixed in service packs (or caused to not work) so anyone saying that they can support all service packs on a single syytem is talking out of ...Same applies to os, service provider, network card, disk controller, .....................Sounds like management speak - obviously not psased through anyone who knows about development.Wouldn't life be easy if it was really like that.Guess you are also using sql that will run correctly on any database?Suggest you don't try to answer that one.==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
|
|
|
|
Impact of Service Packs on Application Functionality