If ALL data access is via Stored
Procedures, you can limit the user to only executing stored procedures,
without allowing read permissions on any tables.
Just a counter-point; historically I've used SPs almost exclusively,
and a common need is a flexible "search", which even using the SP
approach often means building dynamic SQL and executing via
sp_ExecuteSQL - which requires read permissions *OR* an involved
signing process. But yes; it can better mitigate against INS/UPD/DEL.
Stored procedures eliminate most sql injection attacks, which are more possible with dynamic sql.
Only if used correctly! "EXEC" is the obvious one, but I've also seen
somebody call an SP by building a CommandText along the lines of
"MyProc '" + argString +"'". Welcome back injection. So yes, an SP
called via parameters will be injection safe - but identically so will
a non-SP command that uses parameters. And any decent ORM (including
LINQ) will do that automatically.
It separates the database processing details from the application processing.
I'd agree that it formalises an API to the database - yet even if the
SP name and args are formalised, the return grid(s) [perhaps the most
important part?] aren't. But it doesn't really separate it - it just
means you have to do it all twice; once in SQL, and once again in C#
to prepare the commands and (more verbosely) consume the data. You can
arguably use ORM to bind to the SPs, but you lose all flexibility and
composability.
Additionally, just look at the ease (and performance) with which LINQ
can sort and page a query. Now try that in SQL... OK, the paging you
can do *reasonably* well in SQL Server 2005+ with CTE etc (and some
other vendors have direct support); the flexible sort? Either a
horrible SELECT CASE, or dynamic SQL (in the SP); but you're very much
back into the world of vendor-specific tricks. Hopefully an ORM tool
(and I'm thinking "Entity Framework"/"LINQ-to-Entity", not LINQ-to-
SQL, for cross-targeting here) will do this (using the appropriate
optimised approach) for free.
Personally I'm quite a big fan of LINQ - and historically I've batted
quite heavily on the "use SPs" team, so I know the arguments for both
sides (and there are *definitey* some good cases where SPs are the
only route). But IMO, there hasn't been a bigger opportunity to at
least call a truce, put aside historical prejudices, and ask: "does
this work for me? how do I want to manage my DAL?". I was surprised...
it really seems to help me...
Marc