In this new post to his site Freek Van der Herten shares a time when he was working on a data import that ended in some unexpected results thanks to an interesting race condition.

Recently I was working on a client project where a data import was performed via queues. Each record was imported in its own queued job using multiple queue workers. After the data import was done we had more rows than expected in the database. In this blogpost I'd like to explain why that happened.

He starts by digging into the code that made use of the firstOrCreate method in Laravel's Eloquent handling to find if an entry had already been created for the given data. The method uses two queries, one to determine if the record exists and another to create it if not. The issue was with the fact that it was being handled in a queue meaning that the select could happen and return false while another process was creating the record. He even created a demo app to show it happening and includes screenshots showing the result. He recommends moving the process to a separate queue and having only one worker executing at a time. There's not a good code-based solution for it as it's more of an issue with the architecture than the application itself.

Race conditions in applications can be one of the hardest things to work out the kinks on, especially in a more complex application you're adding the new functionality to. One such instance comes up when you add Ajax functionality into the mix. Because of its asynchronous nature, it can cause a race condition version easily. Andy Bakun has been there and done that in his code and has found some helpful hints he's sharing in this (info packed) post over on his blog.

One of the problem with race conditions is that it is often difficult to actually witness the ramifications of one when it happens, especially if you are not aware of it. If you've used PHP's built-in, default session handling (that uses files), you'll never come across the problem. However, things get interesting once you start using session_set_save_handler to write your own session handler.

He breaks it down into some more manageable chunks:

• A Multi-processing but non-Threaded Environment
• The Default PHP Session Handler
• Observing the Race Condition
• The Demo App Interface
• Resource Contention
• Minimizing Lock Holding Time
• Why is per-variable locking important?
• Rolling Your Own Session Handler
• The Code

See? You didn't believe me when I said it was long...there's tons of great info in there about working with sessions in PHP and how to get Ajax to play nice when manipulating the data inside them. There's plenty of test code and some sidebars with additional information to keep you reading for a while. Be sure to check this one out, even if you're just working with PHP sessions and Ajax and don't have a race condition issue in your app - never hurts to be prepared.

Race conditions in applications can be one of the hardest things to work out the kinks on, especially in a more complex application you're adding the new functionality to. One such instance comes up when you add Ajax functionality into the mix. Because of its asynchronous nature, it can cause a race condition version easily. Andy Bakun has been there and done that in his code and has found some helpful hints he's sharing in this (info packed) post over on his blog.

One of the problem with race conditions is that it is often difficult to actually witness the ramifications of one when it happens, especially if you are not aware of it. If you've used PHP's built-in, default session handling (that uses files), you'll never come across the problem. However, things get interesting once you start using session_set_save_handler to write your own session handler.

He breaks it down into some more manageable chunks:

• A Multi-processing but non-Threaded Environment
• The Default PHP Session Handler
• Observing the Race Condition
• The Demo App Interface
• Resource Contention
• Minimizing Lock Holding Time
• Why is per-variable locking important?
• Rolling Your Own Session Handler
• The Code

See? You didn't believe me when I said it was long...there's tons of great info in there about working with sessions in PHP and how to get Ajax to play nice when manipulating the data inside them. There's plenty of test code and some sidebars with additional information to keep you reading for a while. Be sure to check this one out, even if you're just working with PHP sessions and Ajax and don't have a race condition issue in your app - never hurts to be prepared.

The Hardened-PHP Project has released another vulnerability today, this time it's an issue with one of PHP's own internal functions - open_basedir.

The design of the open_basedir feature of PHP that is meant to disallow access to files outside a set of configured directories is vulnerable to race conditions.

It was discovered that this design flaw can be exploited with the usage of PHP's symlink() function in a very easy way. We believe that the only solution to this problem is disabling the function symlink() while open_basedir is used (this feature was therefore added to our Suhosin PHP Security Extension).

They also note, unfortunately, that the problem may not be fixable due to how it can be implemented. They provide a more detailed explaination and some PHP psuedo-code to help illustrate the point.

The Hardened-PHP Project has released another vulnerability today, this time it's an issue with one of PHP's own internal functions - open_basedir.

The design of the open_basedir feature of PHP that is meant to disallow access to files outside a set of configured directories is vulnerable to race conditions.

It was discovered that this design flaw can be exploited with the usage of PHP's symlink() function in a very easy way. We believe that the only solution to this problem is disabling the function symlink() while open_basedir is used (this feature was therefore added to our Suhosin PHP Security Extension).

They also note, unfortunately, that the problem may not be fixable due to how it can be implemented. They provide a more detailed explaination and some PHP psuedo-code to help illustrate the point.