New Rule: no SELECT *

[silviomarghitola]

Language Usage / DML & SQL / General
Never use SELECT * in a (sub-)query that selects directly from tables or views

from SonarQube

Columns to be read with a "SELECT" statement should be clearly defined

SELECT * should be avoided because it releases control of the returned columns and could therefore lead to errors and potentially to performance issues.

Noncompliant Code Example

DECLARE
  myvar CHAR;
BEGIN
  SELECT * INTO myvar FROM DUAL;
 END;

Compliant Solution

DECLARE
  myvar CHAR;
BEGIN
  SELECT dummy INTO myvar FROM DUAL;
END;

Exceptions

Wrapper queries using ROWNUM are ignored.

SELECT *
FROM ( SELECT fname, lname, deptId
    FROM employee
    ORDER BY salary
  )
WHERE rownum <= 10

[PhilippSalvisberg]

A year ago I would have agreed. Last year I attended Sven Weller's talk named "Ketzerische Gedanken
zu SQL und PLSQL - glaub nicht alles was die Experten sagen". He showed that there are cases where select * is a good thing. Now I'm not convinced anymore that it is always a bad thing.

I tend to vote in favor of this rule, since a -- NOSONAR comment with some explanation why select * is used intentionally might be really a good thing.

[silviomarghitola]

Would it be possible to check whether the SELECT * query is fetchet in a %ROWTYPE variable?

[PhilippSalvisberg]

This is possible as long as the record is defined in the same file. The scope of analysis in PL/SQL Cop is a file. It will lead to false positives when e.g. cursors are defined in the package spec and they are stored in a dedicated file. Hence, I would not make the rule too complicated.

[S-Koell]

I would also agree that a select * is not a problem if you are using rowtypes.
Regarding the checking of rowtypes: If that doesnt work across files I'd rather leave that rule out.

[PhilippSalvisberg]

@S-Koell Thanks. If it would be possible to check could consider rowtypes, would that change your opinion?

[S-Koell]

If it would be possible to check for a select * into other_pkg.g_rowtype_var ...
Sure.

So the rule would be:

• Always use rowtypes when using select *

But there a still edge cases which could slip through and would be bad in my opinion:

declare
  cursor cur is select a, b, c from table;
  row cur%rowtype;
begin
  select * 
  into row 
  from table;
end;
/

[PhilippSalvisberg]

The point is there are cases where select * is bad, e.g. when the code breaks when changing the underlying data structure or more data is processed then necessary. To formulate this as a rule has some value.

I'd like to handle the rules (to some degree) independent of the validators. The restrictions regarding the capabilities of the validator might change over time (e.g. when the validator can optionally access the data dictionary or can consider multiple files for a check which is mainly a memory/performance driven limitation) to minimize false positives or negatives.

[S-Koell]

If I understand you correctly you'd do a rule like:

• Avoid Select * ... Note: Select * into rowtype is fine
  ?

[PhilippSalvisberg]

I'm for a rule named something like "Avoid using SELECT *". This emphasizes that the action should be prevented, but some exceptions may exist (see Avoid). Formulating the exceptions needs some thinking.

[S-Koell]

I'm still unsure because I don't want to make a blanket statement like that. If you are reasonable and use it correctly then Select * can be the best solution.

What's with the following case, which I consider "good":

FOR loop_emp IN
  (SELECT *
    FROM
      employees
    WHERE salary>15000)

[PhilippSalvisberg]

This can be good or bad. If your code processes automatically a newly created column in employees (and you really want that) then I would consider it good. Otherwise I question if it is really necessary to read all columns. If not I'd consider the SELECT * as bad because you process unnecessary data and you rob the optimizer of the capability to find a better plan (e.g. scan of a suited index instead of a full scan or index access).