[Discuss] SQL discussion

[me at mattgillen.net (Matthew Gillen)]

On 1/13/2015 8:08 AM, markw at mohawksoft.com wrote:
> I'm a software engineer and I am constantly confounded by other engineer's
> trepidation/apprehension/dislike for the common database. SQL databases
> especially.

I share your confusion.  Part of it I suspect is that people don't want
to believe in the conservation of complexity principle.  SQL and
relational databases solve a large class of common problems in a close
to optimal way.  The fact that the interface to it is ugly I think is
less indicative of poor design, and more a result of being a very mature
technology that can be used in lots of ways.

Do people use SQL for things they shouldn't? Absolutely.  And Richard P.
pointed out a couple legit reasons to avoid them in certain circumstances.

However, there is a lot lost when moving away from the tried and true.
For instance, SQL injection attacks and cross-site scripting are well
known issues (indeed, OWASP's #1 and #2 issues), with mitigation
strategies.  I would find it hard to believe that nascent replacements
(of the No-SQL ilk) don't have equivalent injection vulnerabilities.
And defending against cross-site scripting (which affects you if your
web-facing front end uses any sort of persistent store backend) is
pretty difficult as I've found out lately.

Maybe I just live in a state of paranoia, but it's difficult to
personally analyze the security of each new thing. XSS makes it just
about impossible anyway, since you're no longer looking for well known
buffer-overrun issues that static code analysis can help you with.

Matt