of 63
8/14/2019 Database Stored Procedures
1/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 1
Mary R. Sweeney
8/14/2019 Database Stored Procedures
2/63
8/14/2019 Database Stored Procedures
3/63
8/14/2019 Database Stored Procedures
4/63
8/14/2019 Database Stored Procedures
5/63
What are stored procedures? Why do developers use them?
Performance optimization by the DBMS
Security: access can be limited Robustness against hacks
Why test stored procedures?
Arent there test tools out there that canhandle this?
Copyright Sammamish SoftwareServices 2003. All rights reserved. 5
8/14/2019 Database Stored Procedures
6/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 6
App source codeC++, Java, etc.
Routines for
accessingdata
Data access routines reside within theapplication source
8/14/2019 Database Stored Procedures
7/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 7
App source code
C++, Java, etc.
Routines foraccessing
data
Data access routines aremoved to the databasebackend
8/14/2019 Database Stored Procedures
8/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 8
A. Debugging StoredProcedures
White box access to code.(Largely a developmenteffort.)
B. Testing an appsStored Procedures in theDB Backend
White box (Unit Test).
C. Creating and usingStored Procedures forTesting
Black or white box.
8/14/2019 Database Stored Procedures
9/63
8/14/2019 Database Stored Procedures
10/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 10
Create procedure uspValidateUser
(@userName varchar(50),
@userPass varchar(20))
as
select * from userswhere userName = @userName anduserPass=@userPass;
8/14/2019 Database Stored Procedures
11/63
8/14/2019 Database Stored Procedures
12/63
Create Procedure procedurename as
Begin
SQL-Statements
End;
Copyright Sammamish SoftwareServices 2003. All rights reserved. 12
8/14/2019 Database Stored Procedures
13/63
SELECT text FROMUSER_SOURCEWHERE name = 'INPUTCOMMERCIAL2';
You can also check the status of the stored
procedure, such as whether or not it compiledproperly and is runnable by using this statement:
SELECT object_name, object_type,
statusFROMuser_objects
WHERE object_name ='INPUTCOMMERCIAL2';
Copyright Sammamish SoftwareServices 2003. All rights reserved. 13
8/14/2019 Database Stored Procedures
14/63
T-SQL:
EXEC SP_HELPTEXT INPUTCOMMERCIAL;
Copyright Sammamish SoftwareServices 2003. All rights reserved. 14
8/14/2019 Database Stored Procedures
15/63
CREATE Procedure procedurename
(parametername datatype, )
as
Begin
SQL-Statements
End;
Copyright Sammamish SoftwareServices 2003. All rights reserved. 15
8/14/2019 Database Stored Procedures
16/63
SQL> execute inputCommercial2(&propid, &propname, &propdesc,
&loan);
Enter value for propid: 99Enter value for propname: 'prop1'
Enter value for propdesc: 'desc'
Enter value for loan: 50000
Copyright Sammamish SoftwareServices 2003. All rights reserved. 16
8/14/2019 Database Stored Procedures
17/63
declarecursor get_prop_data is
SELECT id, name, description
from COMMERCIAL_PROPERTY;
for cl_rec in get_prop_data loop
/* code goes here */
end loop
Copyright Sammamish SoftwareServices 2003. All rights reserved. 17
8/14/2019 Database Stored Procedures
18/63
Demo 1: Creating and testing a Simple Stored
Procedure
Copyright Sammamish SoftwareServices 2003. All rights reserved. 18
8/14/2019 Database Stored Procedures
19/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 19
Testing storedprocedures using
SQL
8/14/2019 Database Stored Procedures
20/63
Set up a test harness/ test bed which bypasses
the front End
Copyright Sammamish SoftwareServices 2003. All rights reserved. 20
GUI or Web
Front End
SQL Harness/
Test Bed
8/14/2019 Database Stored Procedures
21/63
You can set up your tests for database values and
objects using Structured Query Language within theSQL*Plus and/or Query Analyzer environments.
To do this you create independent SQL statements.
In PL/SQL these are called anonymous, or unnamed, blocks.
Copyright Sammamish SoftwareServices 2003. All rights reserved. 21
Creating Test harnesses forAd hoc testing
8/14/2019 Database Stored Procedures
22/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 22
Using nocount:
Set nocount on|off
Stops the message indicating thenumber of rows affected by aTransact-SQL statement from being
returned as part of the results.
8/14/2019 Database Stored Procedures
23/63
set nocount on
select 'Starting Tests: ',current_timestamp;
delete commercial_property;
exec inputCommercial2 10, TestProp1',Test Description1', 22;
select * from Commercial_Property;
select 'Ending Tests: ',
current_timestamp;set nocount off
Copyright Sammamish SoftwareServices 2003. All rights reserved. 23
8/14/2019 Database Stored Procedures
24/63
Using the declare statement: In PL/SQL variables are declared like this:
Declare
e_empno NUMBER := &Empnum;
e_exists varchar2(3) := 'NO ';
T-SQL:
declare @e_expected char(3),
@e_exists char(3) ;
set @e_expected = 'YES';
set @e_exists = 'NO ';
Copyright Sammamish SoftwareServices 2003. All rights reserved. 24
8/14/2019 Database Stored Procedures
25/63
Declare
/* variable declarations */Begin
/* code */
End;
Copyright Sammamish SoftwareServices 2003. All rights reserved. 25
8/14/2019 Database Stored Procedures
26/63
if exists(select * from COMMERCIAL_PROPERTY
where ID = 192)
select 'Test Pass: Property exists ';else
select 'Test Fail: Property doesnt exist ';
Copyright Sammamish SoftwareServices 2003. All rights reserved. 26
8/14/2019 Database Stored Procedures
27/63
SQL 2000s T-SQL does not include exception
handling however you can check for system errorsusing the @@Error global variable.
If a system error is generated during a test, the@@Error variable is automatically loaded with theerror number.
You can check this value and take appropriate actionsuch as roll back a transaction, if necessary.
For testers this allows you to check for certainexpected kinds of errors.
Copyright Sammamish SoftwareServices 2003. All rights reserved. 27
8/14/2019 Database Stored Procedures
28/63
8/14/2019 Database Stored Procedures
29/63
Declare
Begin
/* code */
Exception
when NO_DATA_FOUND then
/* code */
End;
Copyright Sammamish SoftwareServices 2003. All rights reserved. 29
8/14/2019 Database Stored Procedures
30/63
8/14/2019 Database Stored Procedures
31/63
Demo 2: Testing stored procedures using a SQL
script
Copyright Sammamish SoftwareServices 2003. All rights reserved. 31
8/14/2019 Database Stored Procedures
32/63
8/14/2019 Database Stored Procedures
33/63
Can be stored within the target database orwithin a linked database
Can use test data stored within the databasefor a data driven test
Copyright Sammamish SoftwareServices 2003. All rights reserved. 33
Stored
Procedure
tests
8/14/2019 Database Stored Procedures
34/63
8/14/2019 Database Stored Procedures
35/63
SQL cursors:
DECLARE tnames_cursor CURSORFOR
SELECT au_lname FROM authors
OPEN tnames_cursorDECLARE @authname varchar(40)
FETCH NEXT FROM tnames_cursor INTO
@authname
Copyright Sammamish SoftwareServices 2003. All rights reserved. 35
8/14/2019 Database Stored Procedures
36/63
/*testing using testdata tablevalues: */
for test_rec in get_test_data
loopinputCommercial2
(test_rec.id, test_rec.name,test_rec.description,test_rec.primary_loan_id);
end loop;
Copyright Sammamish SoftwareServices 2003. All rights reserved. 36
8/14/2019 Database Stored Procedures
37/63
Demo 3:
Testing a stored procedure witha stored procedure
Copyright Sammamish SoftwareServices 2003. All rights reserved. 37
8/14/2019 Database Stored Procedures
38/63
Basic functionality: Test input and output parameters using
standard techniques (boundary analysis, parametervalidation, etc.)
Should have error-handling and existence checks
Triggered stored procedure functionality Stored procedures which include queries that cover the
entire table i.e., table scans (performance)
SPs which return nothing (performance)
System/application errors returned to the user (Incompleteor ineffective or no error-handling)
Corrupt data resultsCopyright Sammamish Software
Services 2003. All rights reserved. 38
8/14/2019 Database Stored Procedures
39/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 39
No use of transactions
Excess use of temp tables and cursors No data validation for required
parameters
No return of status Parameters:
Precision mismatches;
lack of default values Susceptibility to deliberate, destructive
attacks, such as SQL Injection attacks
Testers checklist:What to look for (cont)
8/14/2019 Database Stored Procedures
40/63
DevPartner by CompuWare (DB2, Oracle,SQL Server)
Visual Studio .Net (for SQL Server)
SQL Navigator by Quest (for Oracle)
Quest Code Tester (Steven Feuerstein)
NUnit(Windows) JUnit (Unix) csUnit DbUnit
Copyright Sammamish SoftwareServices 2003. All rights reserved. 40
8/14/2019 Database Stored Procedures
41/63
Scripting languages can be effectively utilized
to exercise stored procedures. VBScript
Perl
Ruby Javascript/Jscript
Data access languages: PHP or ADO
Copyright Sammamish SoftwareServices 2003. All rights reserved. 41
8/14/2019 Database Stored Procedures
42/63
they typically have a light footprint, i.e., are easyon the test system.
they can directly and quickly emulate the callsbeing used by the application, especially if you
use the same scripting language as theapplication! (Be careful to avoid replicatingapplication development.)
test scripts are smaller, more focused and areable to isolate bugs better than using theapplication to do the test.
Copyright Sammamish SoftwareServices 2003. All rights reserved. 42
8/14/2019 Database Stored Procedures
43/63
Dim conn, rsTestData, i, strMsg
Set conn = CreateObject("ADODB.Connection")
conn.Open
"Provider=MSDAORA.1;Password=tiger;User
ID=scott"Set rsTestData =
CreateObject("ADODB.Recordset")
rsTestData.CursorType = 1
rsTestData.Open "select * from EMP", conn
rsTestData.MoveFirst
Copyright Sammamish SoftwareServices 2003. All rights reserved. 43
8/14/2019 Database Stored Procedures
44/63
my $conn =
$Wscript->CreateObject('ADODB.Connection');
$conn->Open('NWDsn');
if($conn->{State} == 1) {
$WScript->Echo("Connection Successful!")}
else {$WScript->Echo("Connection Failed");}my $adOpenKeySet_CursorType = 1;
my $rst = $WScript->CreateObject('ADODB.Recordset');
my $rst2 = $WScript->CreateObject('ADODB.Recordset')
$rst->Open('SELECT * FROM TestData', $conn,
$adOpenKeySet_CursorType);$WScript->Echo("There are ".$rst->{RecordCount}."records in the Recordset");
Copyright Sammamish SoftwareServices 2003. All rights reserved. 44
8/14/2019 Database Stored Procedures
45/63
Php/Perl:
Open source software
Can run on Linux,Windows, Unix
systems Widely used; lots of
documentation
Perl Oracle modulehas issues
ADO/VBScript
Runs only on allWindows OS
Freely downloadable;
pre-installed onWindows
Widely used; lots ofdocumentation
My best choice forWindows
Copyright Sammamish SoftwareServices 2003. All rights reserved. 45
8/14/2019 Database Stored Procedures
46/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 46
Introduction to databaseTriggers
8/14/2019 Database Stored Procedures
47/63
Triggers are a special type of stored procedurethat is applied to tables.
Complex procedural data integrity methods andbusiness logic can be added to a database using
triggers. A trigger is a set of actions that execute
automatically whenever a specified event occurs
to a specified table. Events can be an insert, update, delete, or read operation.
The trigger can run before or after the event.
Copyright Sammamish SoftwareServices 2003. All rights reserved. 47
8/14/2019 Database Stored Procedures
48/63
Referential Integrity Constraints should beused before Triggers
Complex procedural data integrity methodsand business logic can be added to a databaseusing triggers.
A single trigger can run multiple actions, and itcan be fired by more than one event. Forexample, you can create a single trigger that
runs when any valid event, INSERT, UPDATE,or DELETE occurs.
Copyright Sammamish SoftwareServices 2003. All rights reserved. 48
8/14/2019 Database Stored Procedures
49/63
Triggers cannot be fired manually.
An important feature of triggers is thatunsuccessful transactions are automatically
rolled back.
Copyright Sammamish SoftwareServices 2003. All rights reserved. 49
8/14/2019 Database Stored Procedures
50/63
CREATE TRIGGER reminderON Orders
FOR UPDATE
AS
select 'A row was just modified in the Orderstable';
Copyright Sammamish SoftwareServices 2003. All rights reserved. 50
8/14/2019 Database Stored Procedures
51/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 51
CREATE TRIGGER trigger_name
ON table_name or v
FOR trigger_class and trigger_type(s)
AS SQL statements
The main clauses in a CREATE TRIGGER statement can besummarized as follows:
8/14/2019 Database Stored Procedures
52/63
Triggers are an important way that business
logic is implemented in a database Triggers have automatic behavior that can be
complex and can cause significant damage if
incorrect Triggers are expensive and should be used
judiciously
Copyright Sammamish SoftwareServices 2003. All rights reserved. 52
8/14/2019 Database Stored Procedures
53/63
Graph trigger effects Trigger effect graph
Design Test cases for each trigger effect Customer table test cases:
TC1: Add record to cust; Check custlog
TC2: Update cust record; Check custlog; check Orderstable TC3?
Copyright Sammamish SoftwareServices 2003. All rights reserved. 53
Table Trigger Events Affected Affected
Customers trgOrdUpd U Orders
trgCustLog U, D, I CustLogtbl
Orders trgOrdLog U, D, I OrdLogtbl
8/14/2019 Database Stored Procedures
54/63
Map out trigger effects
Trigger effect map
Copyright Sammamish SoftwareServices 2003. All rights reserved. 54
Customerstable Orders
TableTrgOrdUpdTrgCustLog
Customer
log
table
Orderslog
table
TrgOrdLog
8/14/2019 Database Stored Procedures
55/63
Sweeney:
Sweeney:
8/14/2019 Database Stored Procedures
56/63
A trigger for logging table changes:
Create Trigger trgCustLog
on Customers
after update
as
begin
insert into custlogtbl
select current_timestamp, 'Updated', customerid fromdeleted;
end;
Copyright Sammamish SoftwareServices 2003. All rights reserved. 56
Sweeney:
Demotriggerlogexample.sql
Sweeney:
Demo
triggerlogexample.sql
8/14/2019 Database Stored Procedures
57/63
8/14/2019 Database Stored Procedures
58/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 58
Database Security: Testingfor database hacks
8/14/2019 Database Stored Procedures
59/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 59
or 1=1; drop table user; --Username:
Password:
ABC Corp. Login Form:
Turns this query:
Select username from user where username = someuser
and pass = somepassInto this query:
Select username from user where username = or 1 = 1;
drop table user; -- and pass =
8/14/2019 Database Stored Procedures
60/63
8/14/2019 Database Stored Procedures
61/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 61
ReviewWhere do we go from here?
8/14/2019 Database Stored Procedures
62/63
Copyright Sammamish SoftwareServices 2003. All rights reserved. 62
Module 1: Creating and testing basic stored
procedures
Module 2: Testing stored procedures usingSQL
Module 3: Using stored procedures fortesting
Module 4 : Introduction to Triggers
Module 5 : Testing for database hacks: theSQL Injection attack
8/14/2019 Database Stored Procedures
63/63
Course on scripting language
Advanced RDBMS courses Resources in Appendix A
STQE www.sqe.com
QA forums Yahoo group: Agile databases
Copyright Sammamish SoftwareServices 2003. All rights reserved. 63