PingBack from http://www.onetooneinteractive.com/otolabs-posts/2009/10/10/helping-people-kick-bad-sql-server-habits/

Aaron,

Forgive me Master, I am but learning, and in my learning, I thought I was being brilliant.

I have a web page that actually runs on a file share, with a form. (They took away my server, I had to do something!) The page has VBScript on it, that collects form data and Inserts it into table on our SQL Server. Things need to be done with that data, and immediately!

The table has a trigger.

I thought I was doing so well! This thing not only writes an email, it goes out to the filesystem to find any files uploaded to the form (handled on the web page script) to attach them. Then, after the send_dbmail, (blind copying me, so I know it ran - I said brilliant, right?) it deletes the file (no error checking, you can always delete a file, right? Yeah.)

After doing whatever it does there (*usually* good things), it then EXECs a SP that again goes out to the filesystem, and, through OLE Automation, (sp_OA*, do you mention that above? I *must* be doing things right!) opens not one, but two spreadsheets, inserts information to them, saves them, and finally returns control to the webpage, which puts up a message box that life is good, reassuring the poor user who has been sitting there staring at a web page for several seconds after clicking Submit.

Is this bad? Is this what you mean by trigger abuse? But I meant no harm! I thought I was doing what was right! I thought... never mind what I thought, I am a self taught Accidental DBA/Developer, my thinking is skewed. I'll go fix it. Thanks for pointing out the error of my ways.

Dyfhid

I think it's a bad habit to use TRIGGERs at all. Better to lock down the TABLE and only GRANT EXECUTE on PROCEDUREs that define all actions that need to be taken.

I use TRIGGERs for logon security, db maintenance (where required), and things that just are not part of the application, per se.

>Brian, I agree completely.

Excellent. I was hoping that's what you meant. Between that and the CHAR/VARCHAR comments about space savings, i am very happy you posted these. Perhaps a summary at the end with one line (and a link) for each? A quick sheet, that's all.

>However, in some cases people don't have the ability to make such

>sweeping changes overnight, because existing applications need to

>continue to function.

Aah, instead of Aaron Bertand thou shall be knownst as Aaron the Benevolent.

"Ideally, you should control data access via stored procedures, both for security reasons and so that you can control the DML that affects your tables."

Those are good things, absolutely.  But they miss the value of using something like stored procedures to access the database.

You can use stored procedures to create an "API".  This helps reduce the intimate coupling between an application and the database.  With an API in place, if you need to redesign how some data is stored, you can often do so without having to redesign the API.

Reducing coupling is a software design principle.  It's fundamental to well designed software.  But for some reason, people think it's okay for applications to poke around directly in a database.

Just like any other form of code, database code is best when it is well designed.  And the interface between an application and the database is important.  A well-designed API is critical to the longevity of an application.

So when people ask me why do I not recommend triggers, my point is usually around the need to break a design fundamental.  You don't go poking around directly in tables any more than you go calling code buried in the middle of a module.  You use the API.  And with a good API, there is almost never a need for triggers.

Over my many years of development, I have discovered that stored procedures are not always sufficient to protect data integrity. Sometimes, you have to bake the rules into a trigger to prevent the amateur DBA from screwing the data. Typically, this amateur DBA has been with the company for some time, or in egregious cases, is the CEO/Owner themselves. Using triggers to enforce unusual and important data integrity rules is about the only place where I use triggers.

I don't like either sending emails from inside the trigger, but recently when I mentioned this to a colleague he replied that the sp_send_dbmal just post the message into the queue. I still don't like this approach but what do you have to say about this?

I still don't like it, for a few reasons.

1. if you should ever switch from the built-in mail solution to something else (I had to back in the early 2005 days), you will have to ensure it uses a similar methodology, or potentially re-write your triggers.  You'll have to change all your triggers regardless, because you've hard-coded the delivery mechanism in each one!

2. using your own queue table, you can quickly and easily adjust the frequency of e-mails relative to the number of trigger invocations.  Imagine a row is updated 500 times, you're going to send 500 e-mails, when perhaps only the last one is relevant.  With a queue table you can easily summarize all the new rows since the last poll, and send a single e-mail with either counts or each line item depending on the requirements.

A very low cost up front design can provide both flexibility and scalability without losing a single thing.  

Inapprpiate actions is not just an issue with triggers; as a general rule these actions should never be performed when any locks are held - never performed within a transaction.  Dumping these actions off onto an asynchronous queue handler is not much help if that queue handler holds an exclusive lock on the queue while performing that action (I've seen this done: begin transaction, take the date for 1 email fromk the queue, delete the data, construct the email, send it, if send failed roll back else commit: criminally stupid, in my opinion).SO performing inappropriate actions within a trigger is just another instance of performing inapproopriate actions within a transaction and shouldn't be regarded as something affecting triggers only.

Aaron, how would you weigh triggers to enter records into an audit table of the target table? We use triggers for this, because we have to capture all changes made to all records for regulatory reasons.

I started reading with interest, until I got to the word "jerks" crossed out. You called for this: jerk you! Sproc-only data access is your jerking opinion, and it's obviously not the only correct opinion since there are a ton of people not sharing it with you (otherwise, non-sproc access wouldn't even exist). So, before you call people names, next time use your jerking old-fashioned dba brain to think for a second. Jerk!

Wow, thin skin, Mr. Anonymous?

The jerks i was referring to, if you had bothered to read the context, are the ones who work in an environment where there is a procedure-only policy in place, they just choose to knowingly circumvent the policy because they can, don't care, are lazy, what have you.

I'll say it another way to make it clear: I was not in any way calling people who don't use stored procedures jerks; I was talking about the people who don't find it useful to follow existing conventions in a particular environment.

I'm sorry the concept was lost on you and that you misinterpreted my intent.  If that makes you call me names and find less value in my content, so be it.  But if you ever work for me, be prepared to stand down.

I may have pretty strong opinions about things like this, but that's the beauty of a blog: I'm allowed to state my opinions.  At least I put my name behind mine.  Perhaps I should disable anonymous comments to bypass having to defend my opinions from drive-by shooters like yourself.

Cheers,

Aaron