Voice of the DBA Steve Jones

SQL Injection has been a problem for my entire career. Thirty years ago I could have easily just blamed this on ignorance, as most of our developers didn't think about the nefarious ways that hackers enter data in our applications. These days, there isn't a good reason for this to keep happening, and the problem is us. I think that we don't provide good examples or training on secure coding or secure architecture as a normal part of teaching programming. In many organizations, we don't check for issues and prevent their release. Some do, but many don't. On top of this, the existing code is usually a poor template for writing future code. I do think Microsoft aims for secure coding in SQL Server but in Windows, there is work to be done there.
A few months ago, I saw an article that noted the US CISA organization and the FBI issued a secure-by-design alert (PDF) that noted there is no excuse for SQL Injection vulnerabilities (SQLi) in modern software. This alert notes that SQLi has been an "unforgivable vulnerability" since at least 2007. Inside the document on vulnerabilities, it notes that a single quote can't be used in certain fields: username, password, ID field, or numeric field. They also note that co-mingling user data and query data, like constructing queries on demand, is a poor practice.
Read the rest of SQL Injection Is Not Acceptable

I almost called this "chasing a new laptop" since that's what I'm doing, but I decided to add the date because the current laptop I've using was built in March 2019 and got to me in May 2019. I've had an HP Spectre x360, my second HP Spectre, and I've really enjoyed it. I'm also amazed it still runs. On the last few trips, the two rubber strips that run along the bottom (acting as feet) started to peel away. I've never seen that before and I tried to re-attach them a few times, but that didn't work well.
Not a big deal, and I can live with that, but then during my Australian tour, the laptop started pausing and freezing a few times. It might be that there is too much software on there and needs a pave-and-reinstall, but I decided to check the age on the machine. That was when I realized it was five years old. It's been a great machine, but I don't think I've ever had a work laptop last that long with daily use. Of course, there was about a year during the pandemic when it was rarely used, so maybe its life lengthened during COVID.
Read the rest of Five Years and Counting

One of the interesting things that I see at Redgate Software is how idealistic our developers and engineers can be. They often build our database DevOps products with the idea that customers will use well-designed databases. The systems will have primary keys, foreign keys, defaults, constraints, indexes, and more. Developers will use coding standards, and naming conventions, and will understand what data is stored in tables. Not in every case, but often.
After all, that's how we build software, as teams, sharing information, publishing documentation for others, and following best practices.
Read the rest of Poor Database Design Realities

At the Redgate Summit in London, I ran a panel talking about Platform Engineering and how we can make developers more productive. One of the questions from our audience revolved around AI (Artificial Intelligence) technologies and how they might assist. As a note, AI tech includes a lot of different things, like machine learning (ML) among other things, but a lot of people seeing the media and hype around LLMs (large language models)  think those are AI. They see AI as what is implemented in ChatGPT and Copilot, which is correct, but incomplete.
One of the panelists, Jeff Smith of Redgate, said that he views the output from AI as a first draft, something that bootstraps further work by a human. This can save time and can help someone be more productive, but it's a starting point and a boost, not a final product.
Read the rest of Using AI for the First Draft

I saw a tweet that DBCC CLONEDATABASE was being discontinued for production databases, which both scared me and didn't make sense. I've used this a few times for a quick copy of a database and like how it works. Discontinuing it seemed strange to me.
Then I read the blog post, which notes that it's not being supported for production deployments. The post doesn't explain why, but I'm guessing this is because all the stats and other metadata moves, and this might mess up the optimizer if different data is added. I don't know who deploys production databases like this, but I could see people who have federated or sharded databases using this to create a new blank copy and then uploading data into it. Or maybe people who need new databases that are distributed onto remote office/edge devices used it? If you use this to create production dbs, let me know.
Read the rest of DBCC CLONEDATABASE is Semi-Discontinued

I have worked for a few startup companies, including SQL Server Central. Each has been a different experience, and I learned a lot at each stop. However, I'm not sure I'd want to go through that process again at my age. I was thinking about the challenges and the excitement of being at a startup while reading about the founding of Reddit. The post doesn't go a lot into the technical details or the working life, but it is an interesting read from a VC investor.
I also found this post on Choosing Startup Life, which talks about what the author thinks about before trying to start a company. He compares this with life in a Big Tech company, which relates to lots of companies, in technology or not. The main differences are lower salaries, less infrastructure, lots of work, and upside in a startup. Big companies have higher salaries and more perks, less stress and responsibility, and not a lot of context-switching. In general, that's been true in my experience, though in bigger companies that didn't think they were software companies, I sometimes could end up with a lot of context-switching.
Read the rest of Life in a Startup