College of Business A Quick Introduction to Stored Procedure and Trigger Syntax To Proc or not to Proc Multi-Platform Implications DB Utilities and Reliance on System Data Module Independence (Coupling and Cohesion) Development Team - Skills - Size - Risks Technical Details Passing Parameters vs. Specifying SQL Syntax Storing Code Modules in the Database Data Independence Returning Values Creating Variables Inserted and Deleted ‘tables’ in Triggers Performance (?)
21
Embed
A Quick Introduction to Stored Procedure and Trigger Syntax
A Quick Introduction to Stored Procedure and Trigger Syntax. To Proc or not to Proc. Technical Details. Multi-Platform Implications. Passing Parameters vs. Specifying SQL Syntax. Data Independence. Storing Code Modules in the Database. Performance (?). - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Colle
ge o
f Bus
ines
s
A Quick Introduction to Stored Procedure and Trigger Syntax
Now Create a ‘Smarter’ ProcALTER PROCEDURE AddWeblogEntry @Source_IP_Address nvarchar(16) ,@TE_File_Requested nvarchar(255) ,@Querystring nvarchar(255)AS BEGIN declare @IsTechStaff int -- declares a variable for use in this procedure
-- In effect this asks if this address is in the list: 0 = no, >0 = yes select @IsTechStaff = count(*) from TechStaffList where host_ip =@Source_IP_Address if @IsTechStaff > 0 Begin INSERT INTO TechWeblog ([host_ip] ,[file] ,[querystring] ,[timestamp]) VALUES (@Source_IP_Address, @TE_File_Requested, @querystring ,getdate() ) end else Begin INSERT INTO Weblog ([host_ip] ,[file] ,[querystring] ,[timestamp]) VALUES (@Source_IP_Address, @TE_File_Requested, @querystring ,getdate() ) EndEND
Colle
ge o
f Bus
ines
s
9
What Result Do You Expect Here?truncate table Weblog -- this clears everything so we can start cleantruncate table TechWeblog
-- Note this is exactly the syntax as before, programs that CALLS the proc need NOT changeexec AddWeblogEntry '123.123.121', '/view_lesson.php', 'url=http://www.te.org/.../l1.xml' exec AddWeblogEntry '123.123.122', '/view_lesson.php', 'url=http://www.te.org/.../l2.xml' exec AddWeblogEntry '123.123.123', '/view_lesson.php', 'url=http://www.te.org/.../l3.xml' exec AddWeblogEntry '123.123.124', '/view_lesson.php', 'url=http://www.te.org/.../l4.xml' exec AddWeblogEntry '123.123.121', '/view_lesson.php', 'url=http://www.te.org/.../l5.xml'
select * from WebLogselect * from TechWeblog
Colle
ge o
f Bus
ines
s
10
Even Wilder…. Triggers• What if we often realize after the fact that certain IP
addresses are part of the tech staff?• We can have the database to perform special
procedures called triggers whenever data in a table is changed (UPDATE, INSERT, or DELETE).
• So, this is a bit far fetched – given the frequency of changes and other issues. This example may not justify a trigger. But, lets go with it to understand HOW a trigger works.
Colle
ge o
f Bus
ines
s
11
Create A TriggerCREATE TRIGGER dbo.Tr_TechStaff_IPAddress_Change ON dbo.TechStaffList FOR INSERT,UPDATE,DELETEAS BEGIN SET NOCOUNT ON; -- avoids extra result sets that would be generated -- When records are Deleted or Updated, the old contents are listed in 'deleted' -- So, we will move any log records for this ip from the Tech list back to the main list INSERT INTO Weblog ([host_ip] ,[file] ,[querystring] ,[timestamp]) SELECT TechWebLog.[host_ip] ,[file] ,[querystring] ,[timestamp]
from TechWebLog, deletedwhere TechWebLog.host_ip = deleted.host_ip
Delete TechWebLog where host_ip in (select host_ip from deleted) -- When records are inserted or updated, the new contents are listed in the table 'inserted' -- So our code will 'move' all the records in WebLog to TechWebLog for these addresses INSERT INTO TechWeblog ([host_ip] ,[file] ,[querystring] ,[timestamp]) SELECT WebLog.[host_ip] ,[file] ,[querystring] ,[timestamp]
from WebLog, insertedwhere WebLog.host_ip = inserted.host_ip
Delete WebLog where host_ip in (select host_ip from inserted)END
Colle
ge o
f Bus
ines
s
12
What Result Do You Expect Here?truncate table Weblog ; truncate table TechWeblog; truncate table TechStaffList -- clear old stuff
select * from WebLog; select * from TechWebLog; select * from TechStaffList
INSERT INTO TechStaffList (host_ip)VALUES ('123.123.123')select * from WebLog; select * from TechWebLog; select * from TechStaffList
INSERT INTO TechStaffList (host_ip)VALUES ('123.123.121')select * from WebLog; select * from TechWebLog; select * from TechStaffList
DELETE TechStaffList where host_ip = '123.123.121'select * from WebLog; select * from TechWebLog; select * from TechStaffList
Colle
ge o
f Bus
ines
s
13
So – That Was a Quick Intro• Now lets look at the notes on line
Colle
ge o
f Bus
ines
s
Production Interfaces
Accounts Receivable ApplicationExtending Credit to Customers
Application Architecture
Database
EDI supports efficient customer processes
Sales identifies new customers
Credit managers adjust credit limits
Web store allows direct sales
Direct DB access through utility apps
Business Logic
Policies and access controls reduce risk
Processing instructions enact
transactions
Colle
ge o
f Bus
ines
s
15
Risk Number 1: Bad Credit limits• The Business Risk: If credit limits are changed
inappropriately, we might ship product for which we will never be paid
• Control: Only selected individuals are authorized to set or change credit limits
• Control implementation– programs that change limits must check a list of
authorized people before changing a limit– changes are logged for verification
Colle
ge o
f Bus
ines
s
16
More Risks: Errors or Hacks in a Heterogeneous Environment
• Risk: Given the multiple interfaces that might change the limits, some one of many components may have an error that could result in wrong credit limit data
• Risk: Someone could go in with a utility program or an SQL injection attack and change a limit thereby avoiding coded controls– This might be inadvertent or fraudulentCan you see how stored procedures or
triggers could help here?
Colle
ge o
f Bus
ines
s
17
What needs to be done to change a customer’s credit limit?
• Who am I?
• May I?
• Do it
• Log it
• Display
A database lists users in rolesThis role is called ChgClientCreditLimit
if ( (Select count(*) where Person, Role) > 0) OK
Get the user name from the systemWindows handles this when it connects to the DB
Worked? Remember what was done by whomForbidden? Remember who tried
Update Clients Set CreditLimit=? , this customer
Tell the user what happened
Colle
ge o
f Bus
ines
s
18
Scenario 1 – Client HeavyC#.Net
Connect, Authenticate, Check for successSpecify authorization parametersSpecify tables, columns, and SQLExecute and check success
Specify update parametersSpecify tables, columns, and SQLExecute and check success
Specify logging parametersSpecify tables, columns, and SQLExecute and check success
Specify Results parametersSpecify tables, columns, and SQLExecute and check successDisplay results
DB Server
‘Blindly’ perform SQL instructions
3 pages of C# code with embedded table/column names, authorization rules, and business logic
Colle
ge o
f Bus
ines
s
19
Scenario 2 – Stored ProcConnect, Authenticate, Check for successSpecify authorization parametersSpecify tables, columns, and SQLExecute and check success
Specify update parametersSpecify tables, columns, and SQLExecute and check success
Specify logging parametersSpecify tables, columns, and SQLExecute and check success
Specify Results parametersSpecify tables, columns, and SQLExecute and check successDisplay results
Specify tables, columns, and SQLExecute and check success
Specify update parameters
Specify tables, columns, and SQLExecute and check success
Specify logging parametersSpecify tables, columns, and SQLExecute and check success
Specify Results parametersSpecify tables, columns, and SQL
Display results
DB Server
Logging is moved into a trigger. Changes are logged no matter how the updates are
made: code, proc, or utility
In our lab, authorization is also moved to its own proc, AuthCheck ,which logs denied
attempts
Stored Procedure ChgClientCreditLimit
Database Trigger Logs the Activity
Exec Stored Proc
Trigger Fires Automatically
C#.Net
Colle
ge o
f Bus
ines
s
21
Things to Ponder• Which solution has the most cohesive modules?• How is data independence affected?• Heterogeneity: Web? Automated? Mobile? – What will an interface programmer need to know?
• Reliability, performance, and control– DB locks, speed, memory, impact of an error, restoring
data, cross-platform consistency– Compare the security of a single logging proc and auth proc
vs. SQL in multiple code modulesMoving functionality from client, to web server, to DB code
profoundly affects a variety of important issues. Which is best? IT DEPENDS