October 20th, 2003, 10:19 PM
Poor SQL Server Programming!
Over the past 6-7 years, I have seen companies sell custom software that
costs thousands of dollars and are the most poorly written applications.
For example, we (the company I used to work for) paid $60K from a company
for specialized software targeted for data processing centers that transmits
and receives files from a Windows NT/W2K server for both new and legacy type
protocols. This software originally use SQL Server 6.5, and later 7.0, and
Unfortunately, the company sold this software to us before I had a chance to
review it. One of my biggest pet peeves is the over use of the System
Administrator account known as "SA". For those not familiar with SQL Server
and "SA", this is the default administrator account that Microsoft provides
when SQL Server is installed.
That's right. This software used "SA" to access the backend SQL Server
database. It also required a blank password.
Now, before you go blaming Microsoft for having this as a default
option--any DBA worth their salt would think to change this password. So
don't get me started on that band-wagon...
OK, "SA", big deal you say.... simly change the username and password that
the application uses and restrict permissions, right? Well, Not exactly.
Unfortunately, the developer hard-coded the username and password within his
connection string in the application.
That's right. I couldn't change this even if I wanted it. It took about 3
months for them to recode their software and give me a new release for this
Now -- if this would have been a $30 application, I probably wouldn't have
been so upset. But we paid over $60K for this software!!!
Is this what I should begin to expect from any/all software developers that
use SQL Server?
My thoughts are these:
1) The developer typically designs application on his personal PC which is
usually Administrator. This provides full access to file system, registry,
2) Since SQL Server is typically installed with default options and not
changed, this is what the developer begins to use when writing his software.
3) Virtually every computer book that discusses SQL Server programming
usually uses "SA" username as the example. I assume this is because it is
much easier to teach the reader to use something that is already there
versus telling them how to create an application user or how to use an
application role within SQL Server.
4) Applications have gotten overly simple to use due to all the wizards and
shortcuts that my grandmother could almost figure out how to use it. This
results in people calling themselves a DBA when they no virtually nothing
outside of the point-and-click mode.
Where are the days when programmers had to know the platform that they were
designing? Now days, programmers are not called programmers.... they're
called developers. One is no longer writing software in COBOL or FORTRAN any
more. They right software using a variety of tools and multiple languages.
Most developers now days have to know many different languages and
applications just to design an application. It is not uncommon for someone
to need to know Perl, C, VB, Java, SQL Server, NT, Networking, and Linux
just to write a decent application.
Please don't get me wrong. There are many applications that don't require
all this knowledge and and the same time, there are many highly quialitified
programmers that know all this stuff.
My biggest beef today is the over zealous developer that really doesn't know
enough of anything. Many use wizards to write SQL statements and have no
knowledge of indexes. Many have poorly created SQL statements that return
too much data...
Many don't understand networking and the OSI model of network applicaiton