Is it generally bad practice to use xp_cmdshell in SQL Server?

This stems from an earlier SO question.

If you are having to perform actions on the file system are you usually better off writing an application to handle those actions and making calls to SQL Server from that app? In what situations is usin开发者_C百科g xp_cmdshell a good idea?

It is just another tool to be used. As with all tools, use it when it fits. Some people may have very strong opinions one way or another, but at the end of the day, it is there.

SQL Server 2005 introduced sp_xp_cmdshell_proxy_account which alleviates the issue somewhat with privileges, so it becomes more useful.

Consider the powder-key question: Is it generally bad to allow people to carry guns (guns being dangerous being the correlation)? _{Cue arguments...}

When dealing with 3rd party apps where you don't have access to their source code, SQL Server may be the only or at least the most convenient place to put the logic needing access to the file system. Creating another app is just one more thing to worry about.

Security does become an issue. Additional privilages can be made available to users. http://msdn.microsoft.com/en-us/library/ms175046.aspx