Re: Magical SQL

A couple of brief notes:

1. This seems MySQL-specific: not all databases have INNER JOIN or LAST_INSERT_ID. So you wind up building abstractions for these and bingo! you've reinvented Alzabo, SPOPS or many other SQL abstraction tools.

2. I agree with one of the previous posters that having column-level security is a bad idea -- it sounds like a good idea, but when you think about it, is it an idea that you really need? I implemented something with this four years ago. It worked, but it was a nightmare. And not just implementation-wise -- it's difficult for people to understand as well.

3. I have had quite a bit of experience in creating SQL from either metadata or parameters (see SPOPS, for starters). Over that time I have come to the conclusion that it's better to use straight SQL for creating non-straightforward queries. Why?

For all the bitching about SQL, it's a standard. It's been around for years. There are large books and web tutorials written about it. In short, people know it. And your metatadata or parameters for creating these queries winds up being more confusing and less maintainable than the SQL it's supposed to generate. Sure people can learn how the metadata or parameters work, but isn't it a better idea to leverage the knowledge people already have about SQL?

Just my 2c, etc.

Chris
M-x auto-bs-mode

Comment on Re: Magical SQL Select or Download Code

Replies are listed 'Best First'.
Re: Re: Magical SQL by ignatz (Vicar) on Apr 26, 2002 at 13:27 UTC
AMEN Often SQL is the only liferaft one can find when sifting through foreign code. ()-() \"/ `	[reply]
Re: Re: Re: Magical SQL by perrin (Chancellor) on Apr 26, 2002 at 15:34 UTC
ignatz++. Sing it, brother. Testify.	[reply]
Re: Re: Magical SQL by powerman (Friar) on Apr 26, 2002 at 13:27 UTC
Alzabo and SPOPS are huge! I don't want use them or reinventing them. Remember: "Keep it Simple, Stupid"! But I agree about MySQL-specific. This is not good, but I prefer simple and fast code instead of compatible with all world. So, if I can make it portable and non MySQL-specific without make it slow and complicated, i do it. And I don't try to make some sort of abstraction layer for any type of SQL queries. Non-straightforward queries MUST be done using straight SQL, and I say it already in main post. This idea is a lazy automagicall replacement only for simple SQL queries. And as I write before our survey show what >95% of used SQL queries in typical CGI scripts ARE simple and can be done using this interface. *In fact, size of my CGIs now 50% less with this interface!* And, please, explain what do you mean as column-level security?	[reply]
Re (3): Magical SQL by lachoy (Parson) on Apr 26, 2002 at 14:52 UTC
1. Alzabo and SPOPS are large because they implement a lot of functionality across different databases. (And in the case of SPOPS, across different datasources like LDAP.) They're also large because they handle many of the outlying cases that any homebrewed SQL generation mechanism will eventually have to deal with if it's used for a non-trivial application. Most large modules like these also ensure that you don't need to know everything about them to start using them. There are huge swaths of SPOPS that most people never need to care about. All they need to do is feed a configuration to a particular method and they can start accessing their database using straightforward methods. This doesn't prevent you from writing your own more complicated access, but it takes care of the common 90% usage. The KISS principle is excellent, but difficult problems often call for larger solutions. The fact that entire companies and productlines have been built on simplifying database access tells me this is a difficult problem. 2. That's fine if you're keeping this MySQL-specific. You might want to mention it :-) 3. As for non-straightforward queries using straight SQL, maybe we have different definitions for "non-straightforward". When I see something like: `%Q = ( country => 'Ukraine', age__ge => 25, join_date__date_ge => "-1 DAY", _balance__gt => 5.50, goods => ["Monitor LG", "CDROM 52x"], -order => ["_balance DESC", "age"], );` [download] This screams complicated. Based on my own painful excursions into generating complex SQL from this sort of information, I see the temptations that this can offer and am trying to warn you away from them. 4. Column-level security is when only certain users can update certain columns. Your statement that "ADMIN _can_ set balance for any USER..." leads me to believe you're doing this. Apologies if I was mistaken. Don't get me wrong, I'm not saying that what you're doing stinks. If it works for you and makes your code easier to maintain, fantastic. Good luck. Chris M-x auto-bs-mode	[reply] [d/l]
FIELD__func by powerman (Friar) on Apr 26, 2002 at 15:23 UTC
Yes, you right. Things like this one: join_date__date_ge => "-1 DAY" are too complicated for my eyes too!. And maybe this task must be solved in different way. Or removed at all, and queries like this must be executed straightforward. The __date_ge was born as solution for this problem: in too many cases using just "field=value" insufficient, we need also "field<=value", "field > DATE_SUB(NOW(), INTERVAL value)" ans so on. But accepting plain SQL from user this way: script.cgi?field=>5 is too insecure. So, we still looking for more simple solution for this! And this is a *main reason to post here*.	[reply]