4

I m using ASP.NET Core 1.0 and website will be big (expecting about 5,000 visitors per hour). I have read many times that stored procedures are very fast and safe (in terms of SQL injection etc). But the code first EF if so easy that I want to use it, but the CRUD methods are hidden.

What will be the disadvantages (if any) to use Scaffolding with EF over SP's in terms of performance and security?

  • 1
    There's another element here: maintainability. Are you supporting the product? If there is a critical issue that needs to be solved quickly will this be faster or slower with stored procedures? For me, yes. For others, No. – Nick.Mc Mar 03 '16 at 05:35
  • @Nick.McDermaid For me the only issue as of now is security and performance. I can't decide whether or not to use EF. I can decide between Code first or Data first EF. So which one will you recommend in this scenario? –  Mar 03 '16 at 06:06
  • Excellent points are made below by @RobertHarris. Auto-generated EF SQL code can _very ocassionally_ cause performance issues and in this case you cannot hand-optimise the SQL because it is automatically built by EF. You can certainly have just as many performance issues with hnad coded stored procedures but you do have the option of optimising them. For a write-heavy system this probably is't going to be a problem though. If you have performance issues get a DBA to take a look, – Nick.Mc Mar 03 '16 at 06:35
  • @Nick.McDermaid While working with Dapper which one will be better, SP's or plain SQL queries? –  Mar 03 '16 at 12:05
  • Shouldn't be any difference between stored procedures and parameterized SQL queries with Dapper. Just more effort to setup the stored procedure. See http://stackoverflow.com/a/12948506/1684623 – Robert Harris Mar 03 '16 at 13:41
  • I'm not familiar with Dapper, but I don't have much to add beyond the comments below – Nick.Mc Mar 04 '16 at 06:54

3 Answers3

3

As long as you are using parameterized SQL you should be okay in terms of SQL injection. Never use user input to directly "build" SQL queries via string concatenation. So, as long as you use Entity Framework, stored procedures, or other tools correctly you shouldn't have to worry about SQL injection.

In terms of performance Entity Framework and other similar tools do perform worse overall. I'm not sure that alone is enough to keep you from using it though unless your program expects to have very heavy usage.

Stack Exchange has a nice open source tool Dapper is more lightweight than Entity but still has some nice features. It allows you to write raw SQL. See the section on performance in the Dapper readme. It performs very well, much better than other frameworks.

Staying away from stored procedures can help improve your architecture. Stored procedures may encourage you to encode lots of business logic in the database where unit and integration testing is more difficult to do. Also, deploying new apps becomes more difficult due to having to keep your application, stored procedures, and schema in sync.

So, in short Entity Framework is a great tool but can decrease performance. There are alternatives to stored procedures that are still high performing. Security shouldn't be an issue with whatever mature tool you use (correctly).

Edit to answer additional questions

Isn't Dapper susceptible to SQL injection?

Sure, but just about any tool is if used incorrectly. Here is the proper way to use Dapper example from their documentation. This query is parameterized.

connection.Execute(@"insert MyTable(colA, colB) values (@a, @b)",
    new[] { new { a=1, b=1 }, new { a=2, b=2 }, new { a=3, b=3 } }
  )

Now, here is a bad example that is susceptible to SQL injection:

connection.Execute(@"insert MyTable(colA, colB) values ('" + a + "', '" + b + "')")

Is Entity Framework always safe?

No, if you concatenate variables like the previous section and use ExecuteQuery you run into issues as well.

Are stored procedures always safe?

No, you can still run into SQL injection issues if you use dynamic SQL without parameterization.

Here is a link that discusses how ORMs and stored procedures are susceptible to SQL injection: http://www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html

What will be the disadvantages (if any) to use Scaffolding with EF over SP's in terms of performance and security?

No security issues if used properly like discussed above. Scaffolding is great if you're doing CRUD pages.

If you need to do advanced reporting you may need custom SQL which can still be done with Entity Framework. There is nothing wrong with using scaffolding for as much of your app as it makes sense to use it for and then use parameterized SQL via Entity for everything else. You can always even use scaffolding and then modify the generated classes to do what you want. For CRUD pages use scaffolding and for advanced queries write your own.

The performance hit from using Entity Framework for simple queries probably won't hurt you for basic queries - it should be minimal. You need to worry more about proper indexing and database schema most likely. A bad schema or incorrect indexing will cause performance issues in a hurry.

Robert Harris
  • 482
  • 2
  • 6
  • You have written very informative article. But now it is fixed that we will be using EF. Question is to use code first or data first EF. In code first EF, we are not doing any CRUD logic, all is done. So can I be sure that it is safe and secure? –  Mar 03 '16 at 05:36
  • One of my teammates is saying that Dapper is less secure as SQL injection is possible. Is it right? –  Mar 03 '16 at 10:52
  • By "not doing any CRUD" logic I'm assuming you're referring to scaffolding. You should be able to use scaffolding with MVC regardless of whether you're letting Entity do migrations for you or you're modelling Entity classes based on your existing database schema. Code first EF can migrate the database for you on deployment which is a very convenient feature. I'm not sure how well that would work in complex scenarios but it could potentially work out great. I've always used database first since I've added Entity Framework to an existing project. – Robert Harris Mar 03 '16 at 12:50
  • Are you trying to say use scaffolding inbuilt methods for CRUD and dapper for Complex queries? –  Mar 03 '16 at 13:30
  • 1
    That would be a good route to go in my opinion. You could use Entity Framework for your custom queries but you may get better performance and simpler code by using Dapper for those complex queries. According to the Dapper docs you should get better performance. I'd recommend experimenting with both to see what works for you. It may turn out that using Entity for your complex queries is sufficient. – Robert Harris Mar 03 '16 at 13:39
0

I like to think of choice between writing stored procedures and writing queries in EF as similar (in some way) to difference between programming in assembler and writing programs that are being runned in managed environment (like .NET and Java). Applications written for managed environments are always slower than those written in assembly language, but on the other hand it is usually much easier (and thus cheaper) to write complex applications using managed languages. With use of EF linq you will write your queries much faster and they will be usually simpler than their sql equivalents and thus easier to maintain. Other important factor is that applications changes rapidly, new functionalities are being added, old are being rewritten and along with this process tables and other db structures changes. When this happen your SP can no longer work correctly. When do you know that they should be fixed? Only when you run them. When do you know that you need to fix EF query because table changes? During compilation. And performance lost? Generally nowadays we have fast and quite cheap machines so we do not care that much. I examined once execution time of EF query and its sql equivalent - plain sql gained me decrease in execution time like 5% - this is nothing for me. And as sql queries are much more complex there is high probability of writing your query in wrong way so that it will be unnecessary slower. And finally, if you need in your app really great performance for some complex query - write it as SP and execute it easily with EF.

When it comes to security EF query generators always use sql parameters so they are as safe to sql injections as SP.

mr100
  • 4,340
  • 2
  • 26
  • 38
  • Thanks. But I was saying of the case when we just add a model class and add controller with views using EF. Then we don't write any CRUD logic. The inbuilt methods are completely hidden to us. Are those methods as secure as SP's and LINQ queries? –  Mar 03 '16 at 07:43
  • 1
    They offer the same level of security as linq queries. If you want to use stored procedures for CRUD with EF you may configure this as well: https://msdn.microsoft.com/en-us/data/dn468673.aspx – mr100 Mar 03 '16 at 07:51
  • And in terms of performance? –  Mar 03 '16 at 08:00
  • Generally in most situations the performance of CRUD operations is just the same as plain SQL. EF just gathers all the changes that you've made to one batch and you decide when to execute it against db by calling Save() on DbContext. But there are some cases when CRUD with EF is troublesome - it always requires to fetch the data before altering. For instance removing all rows from table would require fetching them first and then calling RemoveRange with them. In such cases I would sugest to use plain SQL queries with EF. They are easy to call and such cases are rare. – mr100 Mar 03 '16 at 08:05
0

You can use scaffolding to create DB and views and replace the calls to inbuilt methods by your own methods.

It's a trap
  • 1,333
  • 17
  • 39