Eric Wise

May 2006 - Posts

• In Response To No Stored Procedures

  You'll have to catch up on my original post and Jeremy's informative post before delving into this one. As I brought up in my original posting.  I'm curious to know what the O/R mapper world does about security?  I imagine you have to fill your business objects with security checks in lieu of giving rights to stored procs and data.  Does not this add a lot of code?  If I were to somehow grab your .dll internally, would I be able to query and modify data at will? How do you handle maintaining application history?  Are you manually making multiple updates on seperate database calls?  I'm assuming that if you're anti - stored procedure that you are also anti-trigger.  If you're ok with just overwriting data that's cool in your application scenario, but what would you do in a situation where you needed to implement something like a transactional database structure or otherwise be very agressive about tracking changes and state for rollback or reporting? Jeremy does make the admission that he has not written hardly any direct ado.net manipulation in a while.  This suggests that his database needs are simple straightforward table writes.  This is actually a situation where I tend to support things like Ruby on Rails and O/R mappers.  If you don't need or care about #1 and #2 the argument for stored procedure use is relatively weak. "That's an easy answer Eric, stored procedures make TDD a slower, less productive process."  This one really bothers me.  I was under the assumption that TDD you would write a test that failed, and use loosely coupled interfaces in order to "mock" test your application?  If this is true, then why is it so difficult mock a view?  You can quickly create a view stub that just returns column names and mock that.  You can also create a strongly typed dataset, or pass in a business object just assuming that the data will be there.  The population of said object I would think is its own test.  I don't know enough about TDD to make a skillful argument though, I'm just pointing out that mocking the return of a stored procedure can't be any harder than mocking the return off a table or view. "Expletive.  NO, NO, NO!!!!!  The DBA should most certainly NOT work independently of the programming team.  Stored procedures are code, and potentially destructive code at that.  If you change a stored procedure you *MUST* integrate and test the stored procedure against the application before it gets anywhere near production."  This one is my bad since I was unclear in what I meant.  What I meant was once you have a structure laid out for what data you expect from what stored procedure/view, the database team is able to make adjustments in the background and as long as the integrity is maintained the application will not be effected.  You certainly should be building and running tests on a beta environment before moving to production.  It sounds to me that this isn't so much an argument against stored procedures but against poor testing from DBA teams.  The point I was moving ponderously towards was that a good DBA uses analysis tools on the server to locate performance choke points and then should be free to go in and tweak queries, index columns, etc without needing to involve a developer every step of the way.  If all the SQL is in the application, there is no way for the DBA to tweak the sql quickly, cheaply, and efficiently. Posted May 25 2006, 06:18 PM by Eric Wise with 31 comment(s)

• The Pragmatic Adhoc SQL vs Stored Procedures Discussion

  Today Jeremy linked to a post with some amusing comics but ended with a statement that came off to me as anti-stored procedures.  I can already smell the debate of ad-hoc sql in your data layer versus stored procedures so I thought I'd write up a quick post describing why neither party is right, and that the pragmatic developer walks the middle of the road.   Stored Procedures Are More Secure This is the strongest argument for using stored procedures versus ad-hoc sql.  First, you can be sure that no sql injection attacks will ever occur.  In the ad-hoc world you're depending on all developers and accounts that access the database to use parameterized queries. A bigger reason is that in the ad-hoc world you actually have to grant the user/application the rights to change data in the server directly on the table.  In my very humble opinion this is unacceptable.  Should an account become compromised, the hacker now has rights to do basically whatever they want to your data, which is a bad situation to be in.   Stored Procedures (and views) Protect Your Application From Changes As people jump onto the Agile/Unit Testing bandwagon, I see this common theme about insulating your application from damage from changes.  So when I see people in the TDD crowd slamming stored procedures and views it greatly confuses me.  If you run things though views and stored procedures, you have the power to completely rip out the underlaying data structure and just ensure that the stored procs and views return the new structure's data in the expected format for the application.  Your DBA team can work completely independently of your programming team and do pretty much whatever they want and your application doesn't care!  *gasp* a stored procedure or view is like a contract or interface. In addition, you can make minor changes to a stored procedure without a recompile/redeploy, unlike ad-hoc.   Stored Procedures aren't portable The biggest weakness.  But only a weakness if you actually do support multiple databases.  Unless you're an ISV or software vendor this is unlikely.  I would wager that the vast majority of developers work with a single database platform.   Dynamic Where Clauses Are A Pain in the Ass Dynamic queries are difficult for programmers to write, and not all that fun to look at when compared to ad-hoc querying.   So what do I do? If I'm designing a system, or you're asking me what I recommend, here's what I do: Both.  Here are my rules of thumb: As much business logic as possible goes into the code layer, it's job is to scrub the data for the database server.  The database server only enforces ACID. Anything that changes data is a stored procedure.  Accounts are granted execute on a need be basis to the stored procs.  This way if something is compromised, they still have to play by your rules, limiting the damage. Reporting, filtering, and otherwise dynamic queries are done with in line/ad-hoc sql but must be executed against views with only select rights granted to the accounts. The database is designed to filter, sort, and index things far more efficiently than you could ever do on the programming side... let the database do what it does well. The biggest thing to take away from the above is reducing your attack surface and jealously guarding your data integrity.  Stored procedures and views are the best tools we have for this task. Posted May 24 2006, 07:52 PM by Eric Wise with 23 comment(s)

• Sahil on C# 3.0 and Linq

  Sahil is off to the races in his new blog.  You should check out his series on C# 3.0 and linq features. http://blah.winsmarts.com/2006/05/17/demystifying-c-30--part-1-implicitly-typed-local-variables-var.aspx Personally, I'm a bit torn over the Linq thing.  It looks really neat on the surface, but I am struggling to figure out how this is really better than using stored procedures etc to return your data.  Maybe it's because as a web guy I'm used to working in a stateless environment so my data doesn't normally hang around long enough that Linq would be useful. Posted May 22 2006, 01:34 PM by Eric Wise with 10 comment(s)

• Lashing Out

  Ok Apple, your new commercials are humorous in their own way but contain quite a bit of FUD.  As if Windows can't talk to a digital camera.  Yeah it's great that you have iLife iWhatever bundled in but recall the Microsoft gets sued for bundling anything. Regardless, the commercials aren't really what I need to lash out about.  Safari... YES Safari.  XSLT is not available as a service to javascript — it’s only callable as an initial XSL transform with the page load?  Are freaking serious?  You call this a modern browser? Anyways, long story short we had a very nice site working with atlas but Safari's updatepanel problems have temporarily killed it.  Thanks Apple.  'preciate it.  Hopefully Microsoft can navigate the safari jungle soon so I can wire this back up. Not that I'm going to let microsoft off the hook.  I have a scriptmanager s1 on the page.  If I try to set enable partial rendering to false on page load I get an error that I can only do that in the pre_init.  If I do it in the pre_init I get an object reference not set to instance of an object.  I'm probably doing something wrong but for the life of me I can't see it.  If I put in a check if (s1 == null) that check is true in pre_init. Posted May 22 2006, 10:08 AM by Eric Wise with 2 comment(s)

• Easy Assets .NET v2.0

  Just thought I'd drop a line for the faithful.  It's very flattering that even months after the last release I still get emails praising the application as easy to use and set up.  Mixed in with the praise is the question as to whether there will be a .NET 2.0 version. The answer is yes!  I'm plugging away at it slowly but surely.  This time around you will be seeing some vast improvements over v1.1 including: New layout- I am going to maximize screen real estate (the sidebar menu looked nice, but ate up a good chunk of the viewable space last time around) Less Tables, More CSS-  I'm pushing hard this time to make sure css is consistantly used throughout the site.  Where it's convenient and makes sense tables will be going away and css styled divs will be going in. More intuitive coding pattern- The existing codebase is pretty easy to modify and use, but I think I can take it a step further! Performance Enhancements- This time around you'll see some more agressive caching going on which will be configurable in the web.config file. SQL Reporting Services Project- One of the major weaknesses of the existing release is that there wasn't much in the way of reporting mostly because I was unsure what users would need.  I have gotten a lot of feedback in this area and will be releasing a sql reporting services project with a series of reports that can be deployed.  I will likely include the same reports in the application, but they won't have all the nice charts, exports, etc that reporting services provides. Atlas! - The new version will embrace the use of Atlas where it is appropriate. When will all this happen?  I'm shooting for around September/October.  Hopefully Atlas will be final by then. Posted May 17 2006, 06:51 PM by Eric Wise with 3 comment(s) Filed under: Easy Web Applications

• TechEd 2006 : Where I'll Be

  Monday, June 12 ------------------- 9:00 AM - 10:15 AM      WEB301 ASP.NET: Accelerating Web Application Development with the Microsoft Enterprise Library   205 ABC      10:45 AM - 12:00 PM DAT303 SQL Querying Tips and Techniques   258 ABC        1:30 PM - 2:45 PM      DEV307 Delving into Visual Studio 2005 Team Edition for Software Developers   Grand Ballroom A      3:15 PM - 4:30 PM BIN305 Architecting and Designing High Performance Warehouses and Datamarts with SQL Server 2005   259 AB      5:00 PM - 6:15 PM DAT308 Programming the SQL Server Common Language Runtime (SQL CLR)   52 AB      Tuesday June 13th ----------------- 8:30 AM - 9:45 AM      ARC206 Evolving to Patterns   205 ABC      10:15 AM - 11:30 AM      WEB306 ASP.NET: Best Practices for Building Secure Web Applications Using ASP.NET and IIS 6.0   205 ABC      1:00 PM - 2:15 PM CON216 .NET Framework 2.0: Introduction to System.Transactions   253 ABC      2:45 PM - 4:00 PM BIN314 SQL Server 2005 Reporting Services: Advanced Report Design   102 AB      4:30 PM - 5:45 PM DAT318 Programming SQL Server 2005 from .NET to C++ to Java   153 ABC      6:30 PM - 7:30 PM Dlinq         Wednesday June 14th ------------------- 8:30 AM - 9:45 AM      BIN310 SQL Server 2005 Reporting Services Management and Security   253 ABC      10:15 AM - 11:30 AM      DEV327 Visual Studio 2005 Team Foundation Server (Part 1): Applying Version Control, Work Item Tracking and Team Build to Your Software Development Project   160 ABC      2:00 PM - 3:15 PM      DEV429 Visual Studio 2005 Team Foundation Server (Part 2): Developing Custom Process Templates, Work Item Types and Policies   160 ABC      3:45 PM - 5:00 PM      WEB313 ASP.NET: Building and Deploying Web Applications with Visual Studio 2005   258 ABC      5:30 PM - 6:45 PM      ARC215 Patterns and Anti-Patterns for Service-Oriented Architectures   258 ABC      Thursday June 15th ------------------ 8:00 AM - 9:15 AM      WEB314 ASP.NET: Building Real-World Web Application UI with Master Pages, Themes and Site Navigation   258 ABC      9:45 AM - 11:00 AM      WEB315 ASP.NET: End-to-End - Building a Complete Web Application Using ASP.NET 2.0, Visual Studio 2005, and IIS 7 (Part 1)   Grand Ballroom A      1:00 PM - 2:15 PM      WEB316 ASP.NET: End-to-End - Building a Complete Web Application Using ASP.NET 2.0, Visual Studio 2005, and IIS 7 (Part 2)   Grand Ballroom B      2:45 PM - 4:00 PM      ARC219 Software As a Service: The Good, the Bad and the Ugly   258 ABC      4:30 PM - 5:45 PM      WEB210R IIS 7: End-to-End Overview of Microsoft's New Web Application Server (Repeat Session)   153 ABC        Friday, June 16th ----------------- 9:00 AM - 10:15 AM      WEB318 ASP.NET: Creating High-Performance, Enterprise-Scale Web Applications Using Visual Studio 2005 Team System   52 AB      10:45 AM - 12:00 PM      DEV346 Visual Studio: Rapid Development of Data End-to-End Solutions and How They Work in an N-Tier Model   156 ABC Posted May 11 2006, 03:39 PM by Eric Wise with no comments

• Petsmarketing Is Hiring

  Wanted to take a quick time out and let you readers know that Petsmarketing is looking for some mid-senior .NET developers. http://cleveland.careerboard.com/cgi-bin/a/highlightjob.cgi?jobid=112007 The work environment is very nice, they provide good hardware and tools packages for developers, and you get a chance to work with the latest in .net (Atlas, c# 2.0, etc) on a mission critical project.   Posted May 09 2006, 07:52 AM by Eric Wise with no comments

• Visual Studio 2005 - Recent Projects

  Why is there not a hook in the GUI to manage this?  Anyways, if you want to clear out the garbage from your list just fire up ye olde regedit and go here: HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\8.0\ProjectMRUList Posted May 02 2006, 08:28 AM by Eric Wise with 8 comment(s)