Posted on July 20, 2009 - Filed Under RubyOnRails, Security
ActiveRecord, which is core component of Rails framework (at least before Rails 3.0 become reality) provides a lot features which developers do love.
Validations are one of those features. They are methods which provide easy way to check if model is valid and protect consistency our data in database. Sounds good, but this is bullshit.
Active Record validations are prone to race conditions. Period. It does not make any sense to rely on them if You really have to have consistent data (I’m referring to unique constraint and
validates_uniqueness_of). The only way to go is to have constraints put on database level. Or write a lot workaround code in Rails. Error prone as well.
What is race condition? Race condition (or race hazard) is when outcome of some operation depends on timing between other operations.
Let’s take for example creation of two records where one attribute should be unique. How does work
First it checks in DB (via SELECT) if there already is record with such value as unique attribute. If there is no such record then it run INSERT command to create new record.
Now imagine two processes are trying to create such record in the same time. Since SELECT and INSERT are separate operation it is quite possible (remember we have two processes trying to do the same thing at once):
- Model.save in PROCESS 1
- Model.save in PROCESS 2
- SELECT FROM PROCESS 1 (result – no record in DB)
- SELECT FROM PROCESS 2 (result – no record in DB)
- INSERT FROM PROCESS 1
- INSERT FROM PROCESS 1
Now guess how many records will be created? :))
What is takeaway from this rant?
ActiveRecord brings to table a lot improvements which each developer loves, but there is no silver bullet. Such race condition can happen (unless You run one Rails process in non-threading mode, but this is not very useful setup :D) even on low traffic application.
If there is really some business need which requires You to have unique data You have to implement some constraints on database level.
Use AR, since it is wonderful tool, but when used properly. Or maybe – know shortcomings of tools You do use.
Popularity: 13% [?]
Hits for this post: 5061
- Extracting fixtures
- First save, then use :id
- Rake and arguments for tasks
- Skinny controller, fat model and Facebook
- MySQL collate setting in Rails application