473,322 Members | 1,405 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Stored Procedure vs direct execute SQL

Hello,
Is there any difference to between SLQ string in the code and call execute
query and call a stored procedure and execute the query that way concerning
speed, effectiveness, reliability, …?
Thanks,
Jim.

Nov 19 '05 #1
7 3182
Stored procedures are compiled, so you should see improvement there. How
much improvement and how noticeable really all depends on a number of
factors.

"JIM.H." <JI**@discussions.microsoft.com> wrote in message
news:C9**********************************@microsof t.com...
Hello,
Is there any difference to between SLQ string in the code and call execute
query and call a stored procedure and execute the query that way
concerning
speed, effectiveness, reliability, .?
Thanks,
Jim.

Nov 19 '05 #2
SQL Server caching of queries has reduced the overall performance
gain of procedures versus dynamic sql strings. Procedures
in most cases will still be faster.

They are also "far more" secure than dynamic sql strings.

--
2004 and 2005 Microsoft MVP C#
Robbe Morris
http://www.robbemorris.com
http://www.masterado.net

"JIM.H." <JI**@discussions.microsoft.com> wrote in message
news:C9**********************************@microsof t.com...
Hello,
Is there any difference to between SLQ string in the code and call execute
query and call a stored procedure and execute the query that way
concerning
speed, effectiveness, reliability, .?
Thanks,
Jim.

Nov 19 '05 #3
Read these for starters...

http://www.windowsitpro.com/Articles...layTab=Article
http://www.codeproject.com/database/hkstoredproc.asp
<%= Clinton Gallagher
METROmilwaukee (sm) "A Regional Information Service"
NET csgallagher AT metromilwaukee.com
URL http://metromilwaukee.com/
URL http://clintongallagher.metromilwaukee.com/


"JIM.H." <JI**@discussions.microsoft.com> wrote in message
news:C9**********************************@microsof t.com...
Hello,
Is there any difference to between SLQ string in the code and call execute
query and call a stored procedure and execute the query that way
concerning
speed, effectiveness, reliability, .?
Thanks,
Jim.

Nov 19 '05 #4
I have to strongly disagree with the two other respondants. The real answer
is that it totally depends. To say that stored procedures are "far more
secure" is extremely misleading. By simply using parameterized values in
your dynamic SQL you've achieved high security. Conversly, by using execute
in your stored procedure it's not at all secure.

As far as performance, it really depends on what you are doing. That SQL
Server caches queries is a very misleading generalization. Complexe queries
are often uncacheable. Additionally, client-side (ASP.Net) caching can
belittle this minor advantage. What's worse, the most efficient search
queries are typically written in one form or another of dynamic sql
(otherwise SQL Server can't take advantage of indexes).

Personally I'm a fan of stored procedures (big time), but blanket statements
are dangerous. Saying that stored procedures are secure dangerously risks
taking the responsability away from the developer. Additionally, different
solutions are better suited for different scenarios. As such, only someone
who doesn't subscribe to blanket statements can make the right decision.

Let's look at a simplified example:

create procedure SearchProperty AS
@ListingType INT --pass 0 to search for all listing types
select listingId, listingName from Property
where (@listingType= 0 OR ListingType = @ListingType)
AND Status = 1
In the above example we need to allow 0 to be passed in to mean any listing.
This will likely result in SQL Server being unable to use an index on the
ListingType column, thus resulting in less that optimal performance. To get
ideal performance, we'd need to if the code:

if @ListingType = 0 BEGIN

select listingId, listingName from Property
WHERE Status = 1

END ELSE BEGIN

select listingId, listingName from Property
WHERE ListingType = @ListingType AND Status = 1

END

Now you are getting somewhere...except that it'll get impossible to maintain
with the addition of just a few more search parameters (and query plan
caching will increasingly become less efficient).

We could use execute:

declare @sql varchar(1024)
set @sql = 'select listingId, listingName from Property WHERE Status = 1'
if @ListingType = 0 BEGIN
SET @sql = @sql + ' AND ListingType = ' + @ListingTypeId
END
exec(@sql)

Looky that, a stored procedure and a HUGE potential for SQL
injection...egads! (yes, the above sproc won't actually work but if
@ListingTypeID was a varchar (say comma-separated values) it would).

This simple, and common, example not only illustrates that stored procedures
aren't necessarily faster and just vulnerable, but that they can also be
harder to maintain.

In short, the correct answer is "it depends" and hopefully as you learn more
you'll learn to use the right solution at the right time :)

Karl
--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"JIM.H." <JI**@discussions.microsoft.com> wrote in message
news:C9**********************************@microsof t.com...
Hello,
Is there any difference to between SLQ string in the code and call execute
query and call a stored procedure and execute the query that way
concerning
speed, effectiveness, reliability, .?
Thanks,
Jim.

Nov 19 '05 #5
PB
I couldn't agree with you more about blanket statements... implying that
proper research and understanding is in order. But I do have a question
regarding your statement:

<< the most efficient search queries are typically written in one form or
another of dynamic sql (otherwise SQL Server can't take advantage of
indexes).>>

I don't understand this. You seem to be saying that SQL Server can use
indexes *only* when fed dynamic SQL. I don't think that's true. Can you
explain further? I guess it's the "one form or another" part that I don't
get. How many forms of dynamic SQL are there?

Thanks.

"Karl Seguin" <karl REMOVE @ REMOVE openmymind REMOVEMETOO . ANDME net>
wrote in message news:ua**************@TK2MSFTNGP15.phx.gbl...
I have to strongly disagree with the two other respondants. The real
answer is that it totally depends. To say that stored procedures are "far
more secure" is extremely misleading. By simply using parameterized values
in your dynamic SQL you've achieved high security. Conversly, by using
execute in your stored procedure it's not at all secure.

As far as performance, it really depends on what you are doing. That SQL
Server caches queries is a very misleading generalization. Complexe
queries are often uncacheable. Additionally, client-side (ASP.Net) caching
can belittle this minor advantage. What's worse, the most efficient
search queries are typically written in one form or another of dynamic sql
(otherwise SQL Server can't take advantage of indexes).

Personally I'm a fan of stored procedures (big time), but blanket
statements are dangerous. Saying that stored procedures are secure
dangerously risks taking the responsability away from the developer.
Additionally, different solutions are better suited for different
scenarios. As such, only someone who doesn't subscribe to blanket
statements can make the right decision.

Let's look at a simplified example:

create procedure SearchProperty AS
@ListingType INT --pass 0 to search for all listing types
select listingId, listingName from Property
where (@listingType= 0 OR ListingType = @ListingType)
AND Status = 1
In the above example we need to allow 0 to be passed in to mean any
listing. This will likely result in SQL Server being unable to use an
index on the ListingType column, thus resulting in less that optimal
performance. To get ideal performance, we'd need to if the code:

if @ListingType = 0 BEGIN

select listingId, listingName from Property
WHERE Status = 1

END ELSE BEGIN

select listingId, listingName from Property
WHERE ListingType = @ListingType AND Status = 1

END

Now you are getting somewhere...except that it'll get impossible to
maintain with the addition of just a few more search parameters (and query
plan caching will increasingly become less efficient).

We could use execute:

declare @sql varchar(1024)
set @sql = 'select listingId, listingName from Property WHERE Status = 1'
if @ListingType = 0 BEGIN
SET @sql = @sql + ' AND ListingType = ' + @ListingTypeId
END
exec(@sql)

Looky that, a stored procedure and a HUGE potential for SQL
injection...egads! (yes, the above sproc won't actually work but if
@ListingTypeID was a varchar (say comma-separated values) it would).

This simple, and common, example not only illustrates that stored
procedures aren't necessarily faster and just vulnerable, but that they
can also be harder to maintain.

In short, the correct answer is "it depends" and hopefully as you learn
more you'll learn to use the right solution at the right time :)

Karl
--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"JIM.H." <JI**@discussions.microsoft.com> wrote in message
news:C9**********************************@microsof t.com...
Hello,
Is there any difference to between SLQ string in the code and call
execute
query and call a stored procedure and execute the query that way
concerning
speed, effectiveness, reliability, .?
Thanks,
Jim.


Nov 19 '05 #6
Teehee...I made my own blanket statement ;) but atleast I had the word
"typically" in there.

But I can explain what I was saying in more detail. I was specifically
refering to cases where some search parameters are optional, which in my
experience is almost always a requirement. Without using dynamic sql (I
typically use sp_executesql instead of building it in the DAL but that's
just implementation), you are forced to either write a lot of IF/ELSE (which
is totally unacceptable for maintenance), or you write statements like AND
(@SomeParameter IS NULL OR SomeColumn LIKE @SomeParameter)

Using the above approach is sweet because it lets you avoid huge if/elses
AND also avoids dynamic sql. However, SQL server couldn't take advantage of
any indexes on SomeColumn in the above case. Don't get me wrong, it isn't
necessarily a bad approach, simply one which might have an unknown
side-effects (indexes are largely ignored). With dynamic SQL you're query
would either contain the SomeColumn LIKE @SomeParameter or not (determined
at runtime)...it wouldn't check if @SomeParameter IS NULL and wouldn't need
to OR (which I believe is why an index can't be used).

I can't recommend this article enough if your specific question is about
searches:
http://www.sommarskog.se/dyn-search.html it's totally unbiased and
contains no blanket statements...it'll purely educate you and give you
information necessary to making the right choice.

Hope that cleared some of the muck I said..
Karl

--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"PB" <A@B.com> wrote in message
news:uf**************@TK2MSFTNGP10.phx.gbl...
I couldn't agree with you more about blanket statements... implying that
proper research and understanding is in order. But I do have a question
regarding your statement:

<< the most efficient search queries are typically written in one form or
another of dynamic sql (otherwise SQL Server can't take advantage of
indexes).>>

I don't understand this. You seem to be saying that SQL Server can use
indexes *only* when fed dynamic SQL. I don't think that's true. Can you
explain further? I guess it's the "one form or another" part that I don't
get. How many forms of dynamic SQL are there?

Thanks.

"Karl Seguin" <karl REMOVE @ REMOVE openmymind REMOVEMETOO . ANDME net>
wrote in message news:ua**************@TK2MSFTNGP15.phx.gbl...
I have to strongly disagree with the two other respondants. The real
answer is that it totally depends. To say that stored procedures are "far
more secure" is extremely misleading. By simply using parameterized
values in your dynamic SQL you've achieved high security. Conversly, by
using execute in your stored procedure it's not at all secure.

As far as performance, it really depends on what you are doing. That SQL
Server caches queries is a very misleading generalization. Complexe
queries are often uncacheable. Additionally, client-side (ASP.Net)
caching can belittle this minor advantage. What's worse, the most
efficient search queries are typically written in one form or another of
dynamic sql (otherwise SQL Server can't take advantage of indexes).

Personally I'm a fan of stored procedures (big time), but blanket
statements are dangerous. Saying that stored procedures are secure
dangerously risks taking the responsability away from the developer.
Additionally, different solutions are better suited for different
scenarios. As such, only someone who doesn't subscribe to blanket
statements can make the right decision.

Let's look at a simplified example:

create procedure SearchProperty AS
@ListingType INT --pass 0 to search for all listing types
select listingId, listingName from Property
where (@listingType= 0 OR ListingType = @ListingType)
AND Status = 1
In the above example we need to allow 0 to be passed in to mean any
listing. This will likely result in SQL Server being unable to use an
index on the ListingType column, thus resulting in less that optimal
performance. To get ideal performance, we'd need to if the code:

if @ListingType = 0 BEGIN

select listingId, listingName from Property
WHERE Status = 1

END ELSE BEGIN

select listingId, listingName from Property
WHERE ListingType = @ListingType AND Status = 1

END

Now you are getting somewhere...except that it'll get impossible to
maintain with the addition of just a few more search parameters (and
query plan caching will increasingly become less efficient).

We could use execute:

declare @sql varchar(1024)
set @sql = 'select listingId, listingName from Property WHERE Status = 1'
if @ListingType = 0 BEGIN
SET @sql = @sql + ' AND ListingType = ' + @ListingTypeId
END
exec(@sql)

Looky that, a stored procedure and a HUGE potential for SQL
injection...egads! (yes, the above sproc won't actually work but if
@ListingTypeID was a varchar (say comma-separated values) it would).

This simple, and common, example not only illustrates that stored
procedures aren't necessarily faster and just vulnerable, but that they
can also be harder to maintain.

In short, the correct answer is "it depends" and hopefully as you learn
more you'll learn to use the right solution at the right time :)

Karl
--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"JIM.H." <JI**@discussions.microsoft.com> wrote in message
news:C9**********************************@microsof t.com...
Hello,
Is there any difference to between SLQ string in the code and call
execute
query and call a stored procedure and execute the query that way
concerning
speed, effectiveness, reliability, .?
Thanks,
Jim.



Nov 19 '05 #7
He said "direct execute sql".

I took this to be executing an entirely dynamically
create sql string. Use of parameters would not
help in this scenario. You are correct in your
assessment when parameterized command objects
are used.

I also said that SQL Server's caching "reduced"
the overall performance gain as a general statement which
is true.

And, I did say the procedures were still faster
in most cases.
--
2004 and 2005 Microsoft MVP C#
Robbe Morris
http://www.robbemorris.com
http://www.masterado.net

"Karl Seguin" <karl REMOVE @ REMOVE openmymind REMOVEMETOO . ANDME net>
wrote in message news:ua**************@TK2MSFTNGP15.phx.gbl...
I have to strongly disagree with the two other respondants. The real
answer is that it totally depends. To say that stored procedures are "far
more secure" is extremely misleading. By simply using parameterized values
in your dynamic SQL you've achieved high security. Conversly, by using
execute in your stored procedure it's not at all secure.

As far as performance, it really depends on what you are doing. That SQL
Server caches queries is a very misleading generalization. Complexe
queries are often uncacheable. Additionally, client-side (ASP.Net) caching
can belittle this minor advantage. What's worse, the most efficient
search queries are typically written in one form or another of dynamic sql
(otherwise SQL Server can't take advantage of indexes).

Personally I'm a fan of stored procedures (big time), but blanket
statements are dangerous. Saying that stored procedures are secure
dangerously risks taking the responsability away from the developer.
Additionally, different solutions are better suited for different
scenarios. As such, only someone who doesn't subscribe to blanket
statements can make the right decision.

Let's look at a simplified example:

create procedure SearchProperty AS
@ListingType INT --pass 0 to search for all listing types
select listingId, listingName from Property
where (@listingType= 0 OR ListingType = @ListingType)
AND Status = 1
In the above example we need to allow 0 to be passed in to mean any
listing. This will likely result in SQL Server being unable to use an
index on the ListingType column, thus resulting in less that optimal
performance. To get ideal performance, we'd need to if the code:

if @ListingType = 0 BEGIN

select listingId, listingName from Property
WHERE Status = 1

END ELSE BEGIN

select listingId, listingName from Property
WHERE ListingType = @ListingType AND Status = 1

END

Now you are getting somewhere...except that it'll get impossible to
maintain with the addition of just a few more search parameters (and query
plan caching will increasingly become less efficient).

We could use execute:

declare @sql varchar(1024)
set @sql = 'select listingId, listingName from Property WHERE Status = 1'
if @ListingType = 0 BEGIN
SET @sql = @sql + ' AND ListingType = ' + @ListingTypeId
END
exec(@sql)

Looky that, a stored procedure and a HUGE potential for SQL
injection...egads! (yes, the above sproc won't actually work but if
@ListingTypeID was a varchar (say comma-separated values) it would).

This simple, and common, example not only illustrates that stored
procedures aren't necessarily faster and just vulnerable, but that they
can also be harder to maintain.

In short, the correct answer is "it depends" and hopefully as you learn
more you'll learn to use the right solution at the right time :)

Karl
--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"JIM.H." <JI**@discussions.microsoft.com> wrote in message
news:C9**********************************@microsof t.com...
Hello,
Is there any difference to between SLQ string in the code and call
execute
query and call a stored procedure and execute the query that way
concerning
speed, effectiveness, reliability, .?
Thanks,
Jim.


Nov 19 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: dinesh prasad | last post by:
I'm trying to use a servlet to process a form, then send that data to an SQL server stored procedure. I'm using the WebLogic 8 App. server. I am able to retrieve database information, so I know my...
3
by: Zeke Hoskin | last post by:
Suddenly a stored procedure, very much like several others, is giving EXECUTE permission denied on object 'Add_Adjustment', database 'InStab', owner 'zhoskin'. server:Msg 229, Level 14, State 5,...
9
by: dtwilliams | last post by:
OK, i'm trying to do some error checking on stored procedures and am following the advise in Erland Sommarskog's 'Implementing Error Handling with Stored Procedures' document. Can anybody help...
2
by: Paul Hale | last post by:
Hi all, being new to c# I'm trying to find the best way of passing multiple records to insert into a sql database via a stored procedure. I'm using visual studio 2005 RC SQL server 2005 and C# of...
2
by: Thomas Beyerlein | last post by:
I am building a UI, I am using stored procedures for executing SQL commands on the server. When I ran a insert stored procedure it returned me a error message that it could not find a parameter...
0
by: IamtheEvster | last post by:
Hi All, I am currently using PHP 5 and MySQL 5, both on Fedora Core 5. I am unable to call a MySQL stored procedure that returns output parameters using mysql, mysqli, or PDO. I'm having a...
9
by: fniles | last post by:
I am using VB.NET 2003 and SQL2000 database. I have a stored procedure called "INSERT_INTO_MYTABLE" that accepts 1 parameter (varchar(10)) and returns the identity column value from that table....
3
by: mch1ck3y | last post by:
Hello there - hoping someone can offer some advice. I am using SQL Server 2000 and want a stored procedure to execute 20 seconds after a particular field on a table is updated using a trigger on...
2
by: richkid | last post by:
Good Day, I'm Trying to pass parameters to represent a column name and value to a stored procedure to execute but havinfg difficulties... can anyone help? declare @columnName...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.