Embedding html code in stored procedures


We seem to have a few developers here who think creating stored procedures that spit out HTML or Javascript code is a legitimate thing to do. In my mind this is the ultimate abuse of the separation of concerns model. Is doing something like this people have often seen people doing?


Yucko. There are a few issues:

<ul><li>Can't 'skin' the app - move to a totally new presentation like Flex, desktop forms, etc.</li> <li>You prevent graphic designers or UI experts from working in an environment that's productive for them.</li> <li>If you mix your HTML storage (some in templates, some in the db, some in app code), it's absolutely awful to track down UI issues.</li> <li>No IDE DOM/layout validation</li> <li>You can't preview or prototype without running the db.</li> </ul>


if this is done haphazardly it is probably a violation of the separation of concerns principle of layering

on the other hand, sprocs expressely written to generate html from database info can in some cases be very legit and efficient, esp. for highly dynamic soft-coded web sites, i.e. where part of the web site structure is encoded in the database, or where the database itself contains HTML fragments...


Horribly wrong! Just my opinion though.


Utlimate no-no. Aside from all the previous concerns like security, low coupling and layering, what happens when your company wants to syndicate the content, serve it to mobile devices (wap, etc.), use it in text based emails or print, etc.


I don't think the problem is separation of concerns so much as sprocs just lack the tools to do this right.

Also anyone else coming across this code is going to have problems figuring it out, and it's going to be very hard to source-control, integrate and unit test.

The only exception would be if your database actually stores Javascript or HTML that's edited elsewhere, as part of a CMS for instance.


I survived a job in a shop where the entire application emitted all HTML, thankfully using references to external CSS/JS.

At the time the project started, there was no support in Oracle for separate web/application server - everything went through PL/SQL.

Sometimes you just gotta use whatcha got.

Having said that, I don't believe there is any excuse for generating View level artifacts from Stored Procedures in any of the modern DBs or application architectures.


This is a classic novice error.

If you have to put mark up in SP output, you should at least use your own standardized encoding and then have the application process it into HTML/Javascript.

For example





A self-evident violation of the "low coupling, high cohesion" principle.

I can't imagine how they would suggest applying CSS formatting to such a beast.


Yes, I have seen many people do it, unfortunately. You're right though: it is vile.

Usually layer-separation problems are when two adjacent layers mix - you get business logic in the database layer, or presentation logic in the business layer. But this skips a layer entirely, putting user-side-presentation miles from where it belongs! Bound to be an unmaintainable horror.

If the scoundrels are unconvinced by such pleas for sanity, you may be able to catch them on security concerns. Database-layer functionality in stored procedures is unlikely to know how to escape text for output to HTML or JS-string-literal, resulting in very probable script-injection hacks leading to XSS attacks. For example if a user calls himself "Brian von < script>steal(document.cookie)< /script>" and that gets crudely concatenated into a stored procedure HTML result...


  • loading .json files generates 404 errors
  • Scaled image in NSImageView looks bad with layer-backing on
  • GHC Generics: How to write an implementation of (:+:) that converts sum types from/to integers?
  • Daydream Non-VR Mode in Unity 5.4.2f-GVR13 [duplicate]
  • jQuery’s css() lags when applied on scroll event
  • Does the program counter always have to change (upon a clock tick)?
  • ViewData, ViewBag and TempData violates MVC? [closed]
  • HikariPool-1 - Unusual system clock change detected, soft-evicting connections from pool
  • a concept similar to pointers in as3?
  • LibGdx GLES2.0 cube texel stretching
  • Where I store the custom exceptions in cakephp 3?
  • Android: how to determine cold start
  • Azure Diagnostic is not saving logs in azure tables
  • Linux command line : edit hacked index files
  • CoreData basics – to-many relationship array data
  • custom string delimiters stringtemplate-4
  • EditText is covered by Keyboard
  • Why are YouTube videos using 'youtube.com/v' not loading
  • During installation of Django, why do I keep getting ImportError: No module named django?
  • pillow imaging ImportError
  • Web.config system.webserver errors
  • Unable to decode certificate at client new X509Certificate2()
  • Meteor: Do Something On Email Verification Confirmation
  • Get data from AJAX - How to
  • Reading JSON from a file using C++ REST SDK (Casablanca)
  • All Classes Conforming to Protocol Inherit Default Implementation
  • Adding a button at the bottom of a table view
  • FB SDK and cURL: Unknown SSL protocol error in connection to graph.facebook.com:443
  • What is Eclipse's Declaration View used for?
  • Where to put my custom functions in Wordpress?
  • Websockets service method fails during R startup
  • Jquery - Jquery Wysiwyg return html as a string
  • SVN: Merging two branches together
  • RestKit - RKRequestDelegate does not exist
  • Is there a mandatory requirement to switch app.yaml?
  • WPF Applying a trigger on binding failure
  • Append folder name and increment by 1 using batch script
  • UserPrincipal.Current returns apppool on IIS
  • Android Heatmap on canvas or ImageView
  • Conditional In-Line CSS for IE and Others?