5

My company doing new policy because my company would have certification of some international standards. That policy is, the DBA not allowed to query directly into database, like :

select * from some_table, update some_table, etc.

We have to use stored procedure to do that queries.

Regarding my last question in here : Postgres pl/pgsql ERROR: column "column_name" does not exist

I'm wondering, do we have to create a stored procedure per table, or per condition? Is there any way to create stored procedures more efficiently?

Thanks for your answer before..

and sorry for my bad english.. :D

Community
  • 1
  • 1
Diaz Pradiananto
  • 447
  • 11
  • 21
  • If you use stored procedures, your users connecting to the database don't need to have any direct permissions on the base tables - they just need to be able to execute the stored procedures. This can be a very useful security measure – marc_s Mar 01 '12 at 09:50
  • yes i understand that,, but we have to create so many stored procedure, is there any more efficient way to do this? maybe you can lookup into my last question above. if i have to create procedure, how we can create a procedure efficiently? – Diaz Pradiananto Mar 01 '12 at 10:01
  • You can find a lot of information and links on performance and characteristics of stored procedures versus raw queries in PostgreSQL in this [related post at dba.SE](http://dba.stackexchange.com/q/8119/3684). – Erwin Brandstetter Mar 08 '12 at 01:02

1 Answers1

10

Some reasons to use stored procedures are:

  • They have presumably undergone some testing to ensure that they do not allow business rules to be broken, as well as some optimization for performance.
  • They ensure consistency in results. Every time you are asked to perform task X, you run the stored procedure associate with task X. If you write the query, you may not write it the same way every time; maybe one day you forget something silly like forcing text to the same case before a comparison and something gets missed.
  • They start off taking somewhat longer to write than just a query, but running that stored procedure takes less time than writing the query again. Run it enough times and it becomes more efficient to have written the stored procedure.
  • They reduce or eliminate the need to know the relationships of underlying tables.
  • You can grant permissions to execute the stored procedures (with security definer), but deny permissions on the underlying tables.
  • Programmers (if you separate DBAs and programmers) can be provided an API, and that’s all they need to know. So long as you maintain the API while changing the database, you can make any changes necessary to the underlying relations without breaking their software; indeed, you don’t even need to know what they have done with your API.

You will likely end up making one stored procedure per query you would otherwise execute.

I'm not sure why you consider this inefficient, or particularly time-consuming as compared to just writing the query. If all you are doing is putting the query inside of a stored procedure, the extra work should be minimal.

CREATE OR REPLACE FUNCTION aSchema.aProcedure (
    IN  var1        text,
    IN  var2        text,
OUT col1        text,
OUT col2        text
)
    RETURNS setof record
    LANGUAGE plpgsql
    VOLATILE
    CALLED ON NULL INPUT
    SECURITY DEFINER
    SET search_path = aSchema, pg_temp
    AS $body$
        BEGIN
            RETURN QUERY /*the query you would have written anyway*/;
        END;
    $body$;
GRANT EXECUTE ON FUNCTION aSchema.aProcedure(text, text) TO public;

As you used in your previous question, the function can be even more dynamic by passing columns/tables as parameters and using EXECUTE (though this increases how much the person executing the function needs to know about how the function works, so I try to avoid it).

If the "less efficient" is coming from additional logic that is included in the function, then the comparison to just using queries isn't fair, as the function is doing additional work.

Matt
  • 4,515
  • 5
  • 22
  • 29
  • wow.. thanks for your answer matt. maybe i'm just a beginner on dba world. your answer makes me more curious about use of stored procedure on the bussiness. so what kind of stored procedure i have to create? on my last question i have the procedure,, is it enough for bussiness? or you can give me more tips to create procedure efficiently? – Diaz Pradiananto Mar 02 '12 at 10:19
  • here's the reason why i said not efficient, because i have to create one by one procedure as much as total of table on my database. ex : to query table a, i create procedure select_to_a, query table b, i create procedure select_to_b. – Diaz Pradiananto Mar 02 '12 at 11:17
  • You’re likely going to end up with as many or more procedures than tables (public API procedures that represent tasks, and private procedures that are helpers for the previous), but there shouldn’t be a 1-to-1 mapping of tables to procedures (if you do that, you might be tempted to write `SELECT * FROM proc1(), proc2()`, which isn’t really the point of writing stored procedures. There will always be overhead when writing the procedure, so it’s never going to be quicker/easier/more efficient/require less typing than writing just the query, I’m just arguing that the overhead is minimal. – Matt Mar 02 '12 at 13:48
  • so how can i create procedure but not mapping 1 by 1 per table? can u give me the clue? – Diaz Pradiananto Mar 05 '12 at 07:51