NetManiac

Witold Rugowski on web20 wave with Ruby on Rails

Are ActiveRecord validations worth anything?

Posted on July 20, 2009 - Filed Under RubyOnRails, Security

If you're new here, you may want to subscribe to my RSS feed. You can also get updates by email Thanks for visiting!

ActiveRecord, which is core component of Rails framework (at least before Rails 3.0 become reality) provides a lot features which developers do love.

Validations are one of those features. They are methods which provide easy way to check if model is valid and protect consistency our data in database. Sounds good, but this is bullshit.

What AR really is ;) (c) CC <a href='http://www.flickr.com/photos/sekimura/'>sekimura</a>” title=”bullshit” width=”500″ height=”375″ class=”size-full wp-image-462″ /><p class=What AR really is ;) (c) CC sekimura

Active Record validations are prone to race conditions. Period. It does not make any sense to rely on them if You really have to have consistent data (I’m referring to unique constraint and validates_uniqueness_of). The only way to go is to have constraints put on database level. Or write a lot workaround code in Rails. Error prone as well.

What is race condition? Race condition (or race hazard) is when outcome of some operation depends on timing between other operations.

Let’s take for example creation of two records where one attribute should be unique. How does work validates_uniqueness_of?

First it checks in DB (via SELECT) if there already is record with such value as unique attribute. If there is no such record then it run INSERT command to create new record.

Now imagine two processes are trying to create such record in the same time. Since SELECT and INSERT are separate operation it is quite possible (remember we have two processes trying to do the same thing at once):

  1. Model.save in PROCESS 1
  2. Model.save in PROCESS 2
  3. SELECT FROM PROCESS 1 (result – no record in DB)
  4. SELECT FROM PROCESS 2 (result – no record in DB)
  5. INSERT FROM PROCESS 1
  6. INSERT FROM PROCESS 1

Now guess how many records will be created? :))

What is takeaway from this rant?

ActiveRecord brings to table a lot improvements which each developer loves, but there is no silver bullet. Such race condition can happen (unless You run one Rails process in non-threading mode, but this is not very useful setup :D) even on low traffic application.

If there is really some business need which requires You to have unique data You have to implement some constraints on database level.

Use AR, since it is wonderful tool, but when used properly. Or maybe – know shortcomings of tools You do use.

Popularity: 14% [?]

Hits for this post: 5954

Similar Posts

Comments

5 Responses to “Are ActiveRecord validations worth anything?”

  1. Brian Cardarella on July 20th, 2009 23:00

    To say that all validations are bullshit because of race conditions is wrong. In fact, most of the validation macros have nothing to do with race conditions and are quite useful. Validating the format of, length of, numericality of, presence of, association, etc…

    Pretty much every other validation is race condition free.

    And this is not new news, if you check out the API:

    http://api.rubyonrails.org/classes/ActiveRecord/Validations/ClassMethods.html#M002167

    You will see that race conditions are mentioned for the documentation of validates_uniqueness_of

    So, in short, AR validation are (in my opinion) worth quite a bit.

  2. Chris Heald on July 21st, 2009 0:16

    validates_uniqueness_of exists as a means for gracefully handling duplication issues. It isn’t foolproof, and the doc even specifically mentions this:

    http://api.rubyonrails.org/classes/ActiveRecord/Validations/ClassMethods.html#M002167

    Read the bit on optimistic concurrency control – it’s a graceful solution to a potentially difficult problem.

  3. Dan Kubb on July 21st, 2009 2:14

    In general I believe you should always use the database level constraints you have available to you. Not only can they save you from data integrity issues like this one, most databases with useful data tend to outlive the application that they were originally designed for. Given a long enough timeline, I believe most databases become integration databases.

  4. most controversial links : rails on February 5th, 2012 21:59

    Kramer auto Pingback[...] commentsharecancelsorry, this has been archived and can no longer be voted onloading…8001Are ActiveRecord validations worth anything? (nhw.pl)submitted 2 years ago by gst5 commentssharecancelsorry, this has been [...]

  5. ruby - Rails: Validation in model vs migration - Stack Overflow on October 29th, 2012 15:23

    Kramer auto Pingback[...] race conditions, and Rails' uniqueness validator in particular cannot guarantee uniqueness. Here's one article among many that documents why this is [...]

Leave a Reply