OSCommerce Product Manager

OSCommerce Product Manager for Windows
Tasklist

FS#221 - Data used should be real time data...

Attached to Project: OSCommerce Product Manager
Opened by Mario A. Valdez-Ramirez (mvaldez) - Thursday, 07 July 2005, 13:23 GMT-6
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Friday, 15 June 2007, 22:47 GMT-6
Task Type Bug Report
Category Backend / Core
Status Assigned
Assigned To Mario A. Valdez-Ramirez (mvaldez)
Operating System All
Severity Medium
Priority Immediate
Reported Version any
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

The data managed by the application is not really 100% current data. From the time the data is fetched from the SQL server to the moment the user press "Ok" (or whatever control is available) to update the data in the server, the server data could have changed.

I the user load a product listing and waits several hours, then edit the data of a product, the data in the server may have changed. For example, the products in stock could have changed. For most operations, this is not important unless there are several users trying to edit the same products at the same time.

Critical data usually is only stock (because is forbidden to charge a credit card if the product is not really in stock).

A solution is to reload the critical data and then do the updating with the "expected" data. For example, if the editing product has a stock of 5, and the user requested to change it to 10 (a plus 5 differece), the applications should send to the server a query to update the stock adding 5 units, not setting it to 10. So, in case there has been two sales (leaving an stock of 3), the final stock would be 8. Maybe showing a warning to the user would be fine.

Or maybe warning should be enough, for example, before updating the data, a new product record is fetched and compared with the original one, alerting the user of any potential conflict and giving him a resolution option.
This task depends upon

Comment by Mario A. Valdez-Ramirez (mvaldez) - Saturday, 16 July 2005, 22:16 GMT-6

Consulting the user is a better approach. Guessing on behalf of the user can lead to unexpected (from the user point of view) bahavior.

Comment by Mario A. Valdez-Ramirez (mvaldez) - Saturday, 16 July 2005, 22:18 GMT-6

Also, note that this problem also happens to the osCommerce web interface.


Comment by Mario A. Valdez-Ramirez (mvaldez) - Friday, 15 June 2007, 22:40 GMT-6
According to Wikipedia, this is a Time-of-check-to-time-of-use type of race condition. However in this case it doesn't cause any security problem.
Comment by Mario A. Valdez-Ramirez (mvaldez) - Friday, 15 June 2007, 22:47 GMT-6
From "Program Security" by SL Pfleeger and CP Pfleeger (ISBN: 0-13-035548-8):

"It is also known as a serialization or synchronization flaw... The problem is called a time-of-check to time-of-use flaw because it exploits the delay between the two times. That is, between the time the access was checked and the time the result of the check was used, a change occurred, invalidating the result of the check... We must be wary whenever there is a time lag, making sure that there is no way to corrupt the check's results during that interval."

Their focus was on security (credential checking) but the idea is the same. (By the way, the server-side script of OSCPMWin does not have this kind of problem during authentication, as each time a request is made the credentials are checked).

Loading...