10 Things You Shouldn't Do With SQL Server

SqlJunkies::10 Things You Shouldn't Do with SQL Server (Data Access Developer "Don'...
Page 1 of 8
!"#$%& '$ ( $!)*&$ &+!*' )%
10 Things You Shouldn't Do with SQL Server (Data

Access Developer "Don'ts")
),' -.
6 + 1
/0 1 " &&2
1 . ) 3 1
1 (0,# 0 45
/ 0 7
' +
6 1 18 3 .
6 *1 && 9 0 10,
, 1 , 38 1
10 8
, .,
16 8 0 1
1 3 1 , ,
3 1 0 , 1
8 , 9
:; , 1. 1
-< - . 1 , 1 =>:6
0 2 % 4
? 8-< - . 1
1 156 $ 8
. 9 1 "& 8 9
8 0 9 . 0
, 6 8 $ $
8 8"& , 1 =1 -<
- . 4 , 1 1 5/ ,93 ,
, 93 . 1 8 4
@,9 0 1, 8 5 1 4 ' .1
1 ,5
10. Add a Low Privilege Account to the Admin Role
6 1 -< - . 1 1 1 . . *A363? 6* B
1 , . , + C 9 -/D*6 9, 1
. 11 -/D*6 4-/D*6 D*6; E-* 73*5 1 0 1
4 1 ,56 8 1 3 C 9 -/D*6
. 11 1 1 . . -< - . 1 0 F
-/D*6 11 .
6 -/D*6 1 , D*6+ 3
8, D*6
+ ; 1 G/ ; 1 &&& -/D*6 1
; 1 - . &&( -/D*6; 1
), 1 1 . ,
, 8 -< 9
3 1 8 . 1 . . , 1
., 1 9 1 1 8, ? 0
. 8, 1 1 1 1 6 0 , *G* 6* .
8 -/D*6 4 . 5 1.1 1 1 6 ,
http://www.sqljunkies.com/PrintContent.aspx?type=article&id=92CC4817-604D-4344-8... 04/28/2005
SqlJunkies::10 Things You Shouldn't Do with SQL Server (Data Access Developer "Don'... Page 2 of 8
, 1 8 1 90 . ,8
, 11 0
+ C 86-< 1 -/D*6 , 1 0 9 1 .
C 1 1
-- Windows 2000 / XP
-- Replace "MachineName" with your machine name
EXEC sp_grantlogin [MachineName\ASPNET]
EXEC sp_grantdbaccess [MachineName\ASPNET], [Alias]
GRANT EXECUTE ON [ProcedureName] TO [Alias]
GO
-- Windows Server 2003

EXEC sp_grantlogin [NT AUTHORITY\NETWORK SERVICE]
EXEC sp_grantdbaccess [NT AUTHORITY\NETWORK SERVICE]
GRANT EXECUTE ON [ProcedureName] TO [NT AUTHORITY\NETWORK SERVICE]
GO
9. @@IDENTITY vs. SCOPE_IDENTITY
6 = 0 1 9 0 1 1 ,
, HH3 )
'*D636B 1- /*I3'*D63
6B45 1 ,. 4 ,
,
5 10,, . 90 18
8 , 188 .
; 3 ,: . :3 8 . ,, + C 98,
1 1 9 3 8 , . * 1 1
4 1 8 18 9 5 9 1 1 1 1 1 ,
3 8 1 1 1 18 1 19 , 19
, 8 90 8 B 1 1
4 1 1 1 8 18 5 , C , . 16 188 0
HH3'*D636B 1- /*I3'*D63
6B4 5
HH3
'*D63
6B 1 ,. 1 0 , 4 1
, ,9 , = 1 10, 5; HH3'*D63
6B 1
9 1 3 198, . 0
1 , 0 1 0 9, 1 , 1 9. 8
1 D =0 19 , 1 1
; , . 1 11 1 8 1
8 , 1 1 B 1 11 = 9 , 1 0
. 0
- /*I3'*D63
6B4
59 HH3
'*D63
6B9 1 ,. 1 90
, 3 19 1 ,. ,
C , 19 ,1 , 10, 1 8 18
+ , 18
8 . , 0 08 11 19
18
/*In a test database, create a new table named TY*/

USE SomeTestDatabase
CREATE TABLE TABLE_A ( TABLE_A_id int IDENTITY(100,5)PRIMARY KEY, ItemValue
varchar(20) NULL)
/*INSERT records into TABLE_A*/
INSERT TABLE_A VALUES ('Widget')
INSERT TABLE_A VALUES ('Boat')

INSERT TABLE_A VALUES ('Car')
GO
/*Create a new table named TABLE_B*/

CREATE TABLE TABLE_B ( TABLE_B_id int IDENTITY(1,1)PRIMARY KEY, Username varchar
(20) NOT NULL)
/*INSERT records into TABLE_B*/
INSERT TABLE_B VALUES ('Doug')
INSERT TABLE_B VALUES ('Erika')
INSERT TABLE_B VALUES ('Lola')
GO
/*INSERT a record into TABLE_B*/

INSERT TABLE_B
VALUES ('Kali')
/*SELECT the data to see what values were returned by @@IDENTITY and
SCOPE_IDENTITY()*/
SELECT * FROM TABLE_A
SELECT * FROM TABLE_B
SELECT @@Identity AS [@@Identity], SCOPE_IDENTITY() AS [SCOPE_IDENTITY]
GO
/*Create the trigger that inserts a row in table TABLE_A when a row is inserted
in table TABLE_B*/
CREATE TRIGGER TABLE_B_trig
ON TABLE_B
FOR INSERT AS
BEGIN
INSERT TABLE_A VALUES ('Airplane')
END
GO
/*Now INSERT a record into TABLE_B, which will cause the trigger to be fired*/
INSERT TABLE_B
VALUES ('Donny')
/*SELECT the data to see what values were returned by @@IDENTITY and
SCOPE_IDENTITY() - they will be different values. SCOPE_IDENTITY() will return
the identity from TABLE_A (the identity that you explicitly created), while
@@IDENTITY will return the identity from TABLE_B (the triggered item).*/
SELECT * FROM TABLE_A
SELECT * FROM TABLE_B
SELECT @@Identity AS [@@Identity], SCOPE_IDENTITY() AS [SCOPE_IDENTITY]
GO
8. Fetch Semi-static Data on Each Request of a Resource
9 8 , 0 3
89 , 9, . $
1 4 1 1 = . ,8 ,5
9 1, , 1
8 9, , 8 8,
' $ 4. 8 , 8 8 5 0 1
1 . 1 1 1 0 8 ,
6 8 ,
" /3 6 /3 , $ . 6 , DB 0 1
18 1 0 , 6 J 8 4 9 ,
, 5 1 10, 8 ? 6
0 /3 , ,0 9 1 9.
C0 B 18 1 C 8 8 4 9
0 1 2$ 90 8 2$ 81
5B ,1 8 0 C 4 8 "$ 1
. 9 1 8 1 5B 18 8 1 1 ,4 9
8 1 156 8 G? 1 9 1
. 1 8 G? 8
+ 1 , 9 , 1 = 1 1 9,
8 1 6 F , 1 1@6? 9
0 , 1 @6? 6 ., , 9 1
C 0
DataTable productsTable;
// Insert code here to get a table of Product data
//The following code puts the object in cache

Cache.Add(
"ProductsTable", //Name
productsTable, //Object to cache
null, //CacheDependency
DateTime.Now.AddSeconds(60), //Absolute Expiration
TimeSpan.Zero, //Sliding Expiration
CacheItemPriority.High, //Priority
null //onRemoveCallback
);
//The following code can be used to get the object from cache
if(Cache["ProductsTable"] != null)
productsTable = (DataTable)Cache["ProductsTable"];
<%-- Sets the cache to 60-seconds --%>

<%@ OutputCache Duration="60" VaryByParam="None" %>
<%-- Sets the cache to 60-seconds and creates a separate cached version of the
page based on the "City" parameter --%>
<%@ OutputCache Duration="60" VaryByParam="City" %>
<%-- Sets the cache to 60-seconds and creates a separate cached version of the
page for each Accept-Language header --%>
<%@ OutputCache Duration="60" VaryByParam="None" VaryByHeader="Accept-Language" %
>
7. Include SQL Data Manipulation Language in Application Code
* 0 11 -< 1 , 1 , 8 0 D , 1, 0
, 8 -< 3 9, 1 1 10 ;
1 1 1-< , 19 , , . -< 19
, .
+ C 9 8 -< , 1 . 8 1 C
string sql = "SELECT * FROM Users WHERE username='" +

Username.Text +
"' AND password= '" +
Encrypt(Password.Text) +
"'";
SqlCommand command = new SqlCommand (sql, connection);
+ 8 C 1 8 19 1- -< 3 )8 6 ,
- B 0,/
8 9 0 1 48, ? -6 . -< , C , 15
J1 @ , , 4 1 . -<
5
string sql = "SELECT * FROM Users WHERE username=@Username AND password=

@Password";

command.Parameters.Add("@Username", SqlDbType.VarChar).Value = UserName.Text;
command.Parameters.Add("@Password", SqlDbType.VarChar).Value = Encrypt
(Password.Text);
. 0 1 1 , 1 1 0 9 ,
1 1 J19 1 0 18 1 . , 1
SqlCommand command = new SqlCommand ("Users_GetUser", connection);

command.CommandType = CommandType.StoredProcedure;
command.Parameters.Add("@Username", SqlDbType.VarChar).Value = UserName.Text;

command.Parameters.Add("@Password", SqlDbType.VarChar).Value = Encrypt
(Password.Text);
6 . 0, : 0 11 1- KK 1 F
:
6. Abuse SELECT *
- , 0 1 J
,1 68 9 ,8
:
-* * 6L+ ? : 1 016 ,
,1 . 0 1 , 8 8 19
81 9 C ) 9 1 81
11 1 3 81 1 "& C#%! 8 8 C D ., :-* * 6L
+ ? : 0 ., 4 , 0, 56 @ A* 8
6 J, ?, , 9 1 , 8 , 1 19 1
C 1 1 DB 1 , D**'8 $ C B 1
. . :-* * 6L+ ? :
5. Create Stored Procedures without Exception Handling
*. ,1 ,, 14
3 5 1 . ,1 ,, , C 1 , 1
0 , 1 6 , 0 ,
C 91 , 0
18 ,9 - , 9 8 C 1 1
1 3 . 1 1 >- , =
, 1 C , 1 >; , 1 C
0 >6 ,M2 1
+ C 8 8 C 1 1 1 6 8
1 , 1 9 1 , 3 C , G? 8
8 18 1 1 10 9 8 1, 6
1 1 8 10,
CREATE PROCEDURE dbo.Users_Insert

@Username VARCHAR (20)
AS
SET NOCOUNT ON
DECLARE @Err INT
SET @Err = 0 – Success
INSERT Users (Username) VALUES (@Username)
SET @Err = @@ERROR – This resets @@ERROR to 0
IF (@Err <> 0)
BEGIN
IF (@Err = 547) -- statement conflicted with constraint
BEGIN
SET @Err = 32 -– Our error code indicating 'Username already in use'
GOTO abort
END
ELSE
BEGIN
SET @Err = 1 –- Our error code indicating 'Unspecified error'
END
END
abort:
SET NOCOUNT OFF
RETURN @Err
GO
; 1 1 , . 3
8 :
&:
3
8 . :
( :, 8 * 1 C 8 .
:
6 , 6 , 1 1, /
1 , :
3
8 1 :
":9 , 8 * 1 C 8 .
: 81 1/ , 3
8 0 9 :
., , 1 , 1 8 8C 1 3
D-* 69 /' 6* 1'* *6*
, HH* . :
&:3 ,
, . 8HH* . 0 , . 1 ,
4. Prefix Stored Procedures with "sp_"
3 8 11 8 , , -< - . 3 0 B 9
3 8 -< - . 93 1 1 1 9 1
1 1 @ : I:? ,1 ,3 1 : I:
8 :
-, - 1/ 1 :4 , ,11 = : I:3
= . 53 ,3 8 11
8 0 3 1 . 3 0 1 1 1 8 ,
1 1 10, 8 8 14 C 11
,5
-< - . ) .1 ,
! !
? , 8, 1 . . ? 8N -< - . O &&& 8 1
1 8 1 , 1 1 -, 1 1 1 1
1 1 0 1 . " 8C -, 1 1 0 C 1
8 ,1 0 . 8, 1 1 8, 1 0
3 , 11 , 1 , 1 1 " 8C -<
- . , 8 1 1 0 " 1
" 6 1 1 1 0
6 1 1 0 1 , 8 .1 14
1 0 5
( 6 1 1 !# 98 81
6 8 9 $ 1 1 1 8C1 " ,C
1 0 9 1 0 , 18 9 . 8 1 1 81
1 0
38 , $ 1 1 1 , 1 1 9
$ 1 1 1 . 0 C 1
3. You Don't Protect the Database Connection String
6 1 0 0 0, 8 ,
B ? -6 3 4 E9 5 1, E
, 0 8 8 ; 3 , 3 4 , 9
, 8 53 ,1 , 8 -/D*64 &&&5 $
0 8 E6 , 0 , $ 0 8 8
G? 8 $ 10 $ 8 4C 5 1 8 9, = 0
0 . 1
$% - 0 8 8 , 1 ,$
0 8 8 , 1
8 0 C 9:
; 1 3 , , ,
>:6 9:
B 1 =$
; 1 1 8 , ' / /34
'/ /3
5:
; 1 &&&9G/ 1 &&( 1 ; ( '/ /36 1 /3 , 1

, 8 8 9 ; 1 , - , 6
8 . $ , , 1 '/ /3 ,0 1 , 1
, 1 6 83 , ? I"93 1 , ? I 6
'/ /3 1 8 , . , 1 0 90 18
, 1 0 8 B , 1 ,
, 1 , 9 8 , 1.
0 8 8
6 D*6+ .
" C1 = 1 1 8 ; ( '/ /3B 1 ,
+ , / P/ ? 8 1 0, .1
1 $ $ 14 1 8 0 ,1 8 > K 0 , $
1 1" 5
2. Accept All Input
3 0 9:
; - 1 9- 1*1 :4
?-/ 59? @ 1 : 3 *.:4 8 9
8 "&56 = 1 . 6 , 8 $
6 C) C
9< ,- 9 $ , .. 1 1 = ,
6 D*6+ 0 8 . 1 9 .
4 0 5
-/D*6 1 8. 4 25 . 1 1+ 17 1 9 *C 7 1 9
7 1 9 7 1 9 7 1 9 7 1 - ,
; 1 + C 7 1 . 8 . 1
6 -, 6C *C *C C 8 C
@ ,@ * 1 0 1 @6? 1 C 08 4 .
5
-/D*6." " 4&&(5 1 7 1 0 4H/ 1 . ; 0 85
. 8 0 0 1
1. Access the Database from the Application with the "sa" Account
@ ,3 1 8 3 1 10, ::
1 . , , 9 0C
D*7* :: 1 0 ,
1$ . 8 1 4 M"5
-* * 6$ , 8 1 .
*G* 6*$ , 8 1 1
D :: 1 = 0 , C 8 1 , 1
3
8, ,9 , 1 :: 9 1: ,: 1 8
1 ::
@ 8, 6 "& 0 8 9 = 1 0 81 = 11 = -< - . 9
0 10, 0 81 . 9 1 8
8
1 ,0 8 9. 9 .

10 Things You Shouldn&#39;t Do With SQL Server

Uploaded by

Copyright:

Available Formats

You might also like

10 Things You Shouldn&#39;t Do With SQL Server

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10 Things You Shouldn&#39;t Do With SQL Server

Uploaded by

Copyright:

Available Formats

SqlJunkies::10 Things You Shouldn't Do with SQL Server (Data Access Developer "Don'...

!"#$%& '$ ( $!)*&$ &+!*' )%