Race Condition in Connection::Replace()

[Mnkras]

@KorvinSzanto brought this to my attention, there are a few ways to solve this,

        $num = $this->query($qb->getSql())->fetchColumn();
        // race happens right here :/
        if ($num < 1) {
            $this->insert($table, $fieldArray);
        } else {
            $this->update($table, $fieldArray, $updateKeys);
        }

I currently have a hack way that executes a raw, MYSQL only query (using ON DUPLICATE KEY UPDATE).

The ideal solution is to migrate away from Connection::Replace() and use the EntityManager ($em->merge()) which handles this, but this code is there for BC with ADODB, and migrating everything is gonna be annoying. My current hack is below, its just basic query building (in a hacky way)

Looking for input from anyone on a better way to solve

diff --git a/concrete/src/Database/Connection/Connection.php b/concrete/src/Database/Connection/Connection.php
index ce98c0422c..9602590c2c 100644
--- a/concrete/src/Database/Connection/Connection.php
+++ b/concrete/src/Database/Connection/Connection.php
@@ -181,8 +181,14 @@ public function MetaColumnNames($table)
     public function Replace($table, $fieldArray, $keyCol, $autoQuote = true)
     {
         $qb = $this->createQueryBuilder();
-        $qb->select('count(*)')->from($table, 't');
-        $where = $qb->expr()->andX();
+        $qb->insert($table);
+        if ($autoQuote) {
+            foreach ($fieldArray as $key => $value) {
+                $fieldArray[$key] = $this->quote($value);
+            }
+        }
+        $qb->values($fieldArray);
+        $sql = $qb->getSQL();
         $updateKeys = array();
         if (!is_array($keyCol)) {
             $keyCol = array($keyCol);
@@ -194,18 +200,17 @@ public function Replace($table, $fieldArray, $keyCol, $autoQuote = true)
                 $field = null;
             }
             $updateKeys[$key] = $field;
-            if ($autoQuote) {
-                $field = $qb->expr()->literal($field);
-            }
-            $where->add($qb->expr()->eq($key, $field));
         }
-        $qb->where($where);
-        $num = $this->query($qb->getSql())->fetchColumn();
-        if ($num < 1) {
-            $this->insert($table, $fieldArray);
-        } else {
-            $this->update($table, $fieldArray, $updateKeys);
+        $on_dupe = ' ON DUPLICATE KEY UPDATE';
+        $dup_keys = [];
+        foreach ($updateKeys as $key => $value) {
+
+            $dup_keys[] = sprintf(' %s=%s', $key, $value);
         }
+        $on_dupe .= join(',', $dup_keys);
+        $sql .= $on_dupe;
+        $this->executeQuery($sql);
+
     }

     /**

[Remo]

@Mnkras why don't we call the mysql REPLACE instead? All we'd have to do is to add a method like this
https://github.com/doctrine/dbal/blob/master/lib/Doctrine/DBAL/Connection.php#L768-L790 but instead use REPLACE INTO.

[aembler]

That method makes sense too.

[Remo]

@aembler I started to work on this when I noticed one thing that would change. The signature of the replace method looks like this at the moment public function Replace($table, $fieldArray, $keyCol, $autoQuote = true). If we'd implement this using REPLACE INTO I wouldn't use $keyCol. MySQL would simply execute an update if it detects a key collision. While I'd expect this to be fine in most cases, one could have used the old replace method with keys that don't exist in the database in which case it would be a break change.
While the code with REPLACE INTO would be nicer, the code by @Mnkras seems to be safer.

[Remo]

Sorry for spamming you guys, but I got confused when I read @Mnkras PHP code, but it actually has the same problem. We use INSERT INTO and only run an update operation if MySQL has detected a key collision. The code actually has a bug in it. They key columns are only used in the update part, but that's not right because we have to set the values either way.

Here's the query generated by that code (ortic@8e58539)

INSERT INTO CollectionVersionBlocksOutputCache (cID, cvID, bID, arHandle, btCachedBlockOutput, btCachedBlockOutputExpires)
VALUES('1', '3', '57', 'Header Site Title', '<a href=\"http://localhost:8000/index.php\" id=\"header-site-title\">Elemental</a>', '1668666612') 
ON DUPLICATE KEY
UPDATE cID='1', cvID='3', arHandle='Header Site Title', bID='57'

What happens now is that the block cache is seens as expired, but the value of btCachedBlockOutputExpires is never updated. The block cache is getting useless.

In the end we basically have these options:

• Use REPLACE INTO or the commit above with a small change to include all values in the update and change the behaviour we've had.
• Keep the existing logic with the additional query and use REPLACE INTO instead of INSERT INTO to avoid those exceptions.

I'd vote for the second option

[aembler]

Yeah, I see what you're saying – I vote for the second option too.

[mlocati]

AFAIK when REPLACE INTO sees an already existing record, it deleted the old record and creates a new record. This is a breaking change, since we currently update the existing record in case it already exists (in case of autoincrement fields, with REPLACE INTO the record ID will change)

[joe-meyer]

Are we just trying to solve the Insert Into from hitting a race condition or something else? If it's just the race condition we're worried about do we even care about writing down a second update statement? Who's to say the first statement that got written wasn't really the second web request to be issued? On duplicate key ignore might be just as good of an option as any i'm not sure.

I think REPLACE INTO is maybe overstepping and possibly oversimplifying here because it does do a delete/insert (as @mlocati mentions) which if anyone has foreign keys set up that could trigger cascading deletes or foreign key errors which I'm not sure is intended.

[Remo]

Okay, then let's keep the existing where to run an update and instead of using an insert into we are going to use an insert into .. on duplicate. That way we don't break the existing logic where the key columns don't match the database keys and we don't execute a delete/insert which might cause other breaking changes. Any objections?

[aembler]

That sounds good to me @Remo

[mlocati]

I found a solution that's more portable than the MySQL-specific INSERT ... ON DUPLICATE KEY UPDATE syntax: #6779