>-----Original Message----- >From: Jefferson Ogata >Sent: 28 February 2000 20:24 >>Bertrand Schmitt wrote: >> >> If you use Stored Procedure calls in your ASP pages this can't >> happen!! Manually creating SQL statements within ASP is poor design : >> not as efficient and secured as storing them in your database server >> (as stored procedures) and making a call to them without speaking >> of coding properly : you do you reuse these pieces of code?! >Jefferson Ogata wrote: > >Actually, it can be argued that using stored procedures is in general bad >design, as it buries your business rules down in the database layer. At the >same time, reliance on stored procedures usually locks you into a single >database vendor, thereby making the system unportable. >A better design is middleware.... (etc.) >I find the idea of transmitting unvalidated input directly to the database and >leaving validation to the unportable stored procedure code to be distinctly >unsettling, and of no benefit to security. Hell's bells! I can't imagine a database designer or coder _not_ performing validation as the data is processed into a database, regardless of whether this has already been done. Also, the notion of "burying business rules in the database" is totally sound, surely. Have we not (that's the IT industry "we"), for many years, been attempting to tie our data closer to our business rules so that the two become indistinguishable? Stored procedures are just part of that. A simple view of the "data and the means to process it" is an "object", yes? If I could specify one "object" which equates to a complete business, I think I'd make a mint and retire...no, on second thoughts, I think I'd keep the idea very quiet, for similar reasons as the car industry has for not abandoning reciprocating engines that run on oil products. Regards, Steve. (Here please read usual stuff re. my opinions not being those of my employers, etc.)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:34 PDT