Why is DML not allowed in Constructor?

The act of creation of object shouldn't have immediate dangerous side effects. If I'll create hundreds of your objects - will they all fire 1 DML?

This also holds true in Visualforce / any web context. The mere act of displaying some page (might be VF embedded in detail page layout, might be requested by some nasty Javascript like CSRF) shouldn't cause say deletes to run. You can work around it with stuff like <apex:page ... action="{!afterCtorHook}"> but it would be caught for example in Salesforce security review.

User should understand what he's doing ("are you sure you want to delete these 100 records?"), click something to confirm that this is really what he wants to do...

Check these too:

  1. http://wiki.developerforce.com/page/Secure_Coding_Cross_Site_Request_Forgery (actually have a look at all items from http://wiki.developerforce.com/page/Secure_Coding_Guideline, well worth a read).
  2. https://developer.salesforce.com/forums?id=906F0000000957bIAA
  3. Try submitting your app to security scan? The report should provide some examples & explanations of the vulnerabilities: http://wiki.developerforce.com/page/Security_Tools

Using insert/update/delete in constructor is a bad practice in any language.

Establishing connection to DB - OK.
Constructor is used to create an object and initialize it's parameters; nothing more. I was trying to search for a better explanation but I failed.

I was taught to avoid using insert/update/delete operations when I worked with Java. It was enterprise project. The company had a lot of documents regarding how to code. And they have this rule to not use constructor for insert/update/delete. I think Select was ok. But I doubt it.

added
First, using DML in constructor will slow down initialization of your object. Second, it may fail and object just doesn't create at all. Second problem has it's roots from C/C++ where memory should be allocated for an object. In this case memory is allocated but object isn't created there.


A quick solution would be to place the dml operations in a single method that you call from the page action parameter.

for example VF page

<apex:page controller="pageController" action="{!doSomeDMLStuff}">

APEX Class

public pageController{

  private boolean doDML;

  //constructor
  public pageController(){

   //run some logic to decide if you need to execute dml statements

   if(logic = true){

      doDML= true;
   }

  //the method called from the page action

  public pagereference doSomeDMLStuff(){

     if(doDML){
         //run DML statements 

     }
     return null;
  }

}
}

Tags:

Apex

Recent Posts