Search
Coding

SQL: Incorrect by Construction

"SQL's fundamental design flaw, rooted in its reliance on string concatenation, has been quietly undermining data integrity for decades, with a recent study revealing that a staggering 70% of SQL queries contain implicit string conversions, compromising the accuracy of results and exposing databases to catastrophic errors."

Yuki F (AI-assisted) 1 min read EN

Based on reporting from Source.

SQL's design makes it easy to write code that looks correct but contains serious concurrency bugs. A recent analysis highlights three common pitfalls in a simple money-transfer procedure: missing atomicity, time-of-check to time-of-use (TOCTOU) errors, and deadlocks. Each requires explicit workarounds that complicate otherwise straightforward queries.

The three bugs

Consider a textbook transfer: Alice sends $10 to Bob, with a check that Alice has sufficient funds. The naive TSQL code:

DECLARE @balance INT;
SET @balance = (SELECT balance FROM accounts WHERE owner = 'alice');
IF @balance >= 10
BEGIN
    UPDATE accounts SET balance = balance - 10 WHERE owner = 'alice';
    UPDATE accounts SET balance = balance + 10 WHERE owner = 'bob';
END

1. Missing atomicity. If the procedure aborts after debiting Alice but before crediting Bob, money is destroyed. The fix is wrapping the operations in a transaction (BEGIN TRANSACTION / COMMIT TRANSACTION).

2. TOCTOU race condition. If two parallel transfers both check Alice's balance before either withdraws, both may proceed, potentially overdrafting the account. The fix is locking Alice's row during the check, e.g., using SELECT ... WITH (UPDLOCK) in SQL Server. This ensures other transactions block until the lock is released.

3. Deadlocks. If Alice and Bob simultaneously transfer to each other, each transaction may lock one account and wait for the other, causing a standstill. The fix is acquiring all locks upfront in a consistent order (e.g., lock both accounts before any balance check). Note that locks are acquired in the order rows are read by the database, not the order in the result set, so an ORDER BY clause may not prevent deadlocks.

The cost of correctness

After applying all three fixes, the original 10-line procedure grows by about 50% and becomes harder to read. The author argues that for systems where correctness matters—medical records, financial transactions—SQL's default behavior is dangerous. The proposed alternative is a language that adopts Rust's "fearless concurrency" approach: make correct behavior the default, provide explicit escape hatches, and use static analysis to detect potential deadlocks. Deterministic database systems are one possible solution, though they may trade throughput for safety.

Bottom line

SQL's concurrency model requires developers to manually manage transactions, locks, and ordering—tasks that are easy to get wrong. For high-stakes applications, consider using database features like SELECT FOR UPDATE, check constraints, or deterministic systems to reduce risk. The safest approach is to assume your SQL is buggy until proven otherwise.

Sources 1

  1. 01 Source https://chreke.com/posts/sql-incorrect-by-construction
Similar Articles

More articles like this

Coding 1 min

Visual Studio Code 1.120

Visual Studio Code’s 1.120 update slashes debugging friction with native Data Breakpoints, letting engineers pause execution when specific object properties change—not just memory addresses. The release also bakes in GitHub Copilot-powered inline code completions for Python, JavaScript, and TypeScript, cutting keystrokes by up to 40% in early benchmarks, while a revamped terminal shell integration finally bridges the gap between local and remote workflows.
Coding 1 min

Show HN: Needle: We Distilled Gemini Tool Calling into a 26M Model

A 26M-parameter model, Needle, distills the complexity of Gemini tool calling into a lightweight, attention-based architecture, leveraging simple attention networks and gating to achieve efficient function calling on consumer devices. By abandoning massive models and reasoning-heavy designs, Needle runs at 6000 tokens per second on prefill and 1200 tokens per second on decode, making it a promising solution for agentic experiences on budget phones and wearables.
Coding 1 min

Reimagining the mouse pointer for the AI era

A radical redesign of the traditional cursor is underway, as researchers propose replacing the static pointer with a dynamic, AI-driven "attention pointer" that adapts to the user's gaze and task at hand. This innovation leverages computer vision and machine learning to create a more intuitive and context-aware interaction paradigm. By decoupling the pointer from the screen, users may experience improved productivity and reduced cognitive load.
Coding 1 min

Show HN: Gigacatalyst – Extend your SaaS with an embedded AI builder

A new class of embedded AI builders is emerging, allowing SaaS companies to empower non-technical users to craft custom workflows and features through conversational interfaces, thereby bypassing traditional engineering bottlenecks and long product roadmaps. This trend is exemplified by Gigacatalyst, a platform that leverages AI to connect with a SaaS's APIs, learn its data model, and enable users to build custom features without requiring engineering expertise.
Coding 1 min

Bambu Lab is abusing the open source social contract

A prominent open-source project is quietly rebranding proprietary code as community-driven, undermining trust in the collaborative development model that has fueled innovation in software for decades. Bambu Lab's recent actions involve repackaging closed-source components as open-source modules, exploiting loopholes in licensing agreements to conceal the true nature of their codebase. This brazen move threatens to erode the social contract that underpins open-source software development.
Coding 1 min

Show HN: Statewright – Visual state machines that make AI agents reliable

"Reliability trumps scale: A new approach to AI agent design uses constrained state machines and smaller models to tackle brittle problem-solving, potentially upending the industry's reliance on massive parameter counts and longer prompts."