0
In SQL systems that support stored procedures, if you don't use certain functions, the sproc will often be stored on the server in compiled and optimized form. When the SQL text is embedded/constructed as a string in PHP or other web page, the text has to be sent to the DB and compiled before execution. This is not only less efficient in the database, it makes the PHP (or whatever) interpreter do more work before sending, and the web server more work to fetch the larger page. So I am wondering why I have never seen stored procedures used in any of the several large open source web apps I've looked at, not even some that ONLY support mySQL or MS SQL Server (both of which have stored procedures).
WGroleau
Posted 2016-10-05T18:44:42.617
Reputation: 438
1There are postives and negatives to using a stored procedure, the folks that don't use them, either have a specific reason not to use them or believe their negatives outweigh their postives. I have a few dozen reasons I don't use store procedures in my own projects that have database backend. – Ramhound – 2016-10-05T18:58:52.517
2Adding to @Ramhound's answer, if you ask 3 developers you'll get 4 answers, but some reasons are more common: using stored procs means placing business logic in the database and it's harder to manage stored procs under version control with the rest of the code assets in the project. – Atzmon – 2016-10-05T19:07:08.847
“When the SQL text is embedded/constructed as a string in PHP” and how would that not be necessary when using a stored procedure? The same parameters are still required. You still need an SQL command to call the SP. The amount of data will of course also be exactly the same. You can’t just magically make either complexity or data vanish. – Daniel B – 2016-10-05T20:28:56.063
1
This "debate" has been raging forever, and will never stop. ;) Read this Coding Horror entry from 2005: Stored Procedures vs. Ad-Hoc SQL for some good info so you can make your own decision. :)
– Ƭᴇcʜιᴇ007 – 2016-10-05T20:31:10.833@DanielB: if you use a stored procedure, you need pass ONLY the parameters. The other way, you have to assemble the entire SQL, get the syntax right, prevent SQL injection, and then the DB server has to compile and optimize. – WGroleau – 2016-10-06T01:30:17.487
@WGroleau On a proper prepared statement, you also only “pass” the parameters. The query is static. SQL injection is also impossible. The server may cache the prepared statement. SPs for that purpose are really just like extracting a method. I get why you would use SPs when end users have direct database access. But I don’t get why anyone would allow that. – Daniel B – 2016-10-06T06:27:51.453
Of course I don't allow the users to write their own sprocs, any more than I would allow them to modify my PHP file! And there is no point caching a statement on the assumption that the next user is going to make the same entries. – WGroleau – 2016-10-06T12:56:37.773