Hacker News new | ask | show | jobs
by mintplant 3059 days ago
> To do that, I created a DbUpdateExceptionHandler middleware that handles database-related exceptions globally (especially duplicate value inserts):

My security sense is tingling. Sounds like a convenient opening for me to finagle your app into an unexpected state (by crafting requests that trigger update failures, interrupting execution at targeted points).
1 comments
biarity 3059 days ago
Well the server was going to return an error anyways, instead of checking if the entity exists then trying to create it, you just go ahead and try to create it. This way if the entity doesn't exist then you've saved a trip to the database. Otherwise you return the same error. And given the server is a black box, how would you "interrupt execution"?
link
rbobby 3059 days ago
> checking if the entity exists then trying to create it,

Checking first and failing can still be problematic without the right database isolation setting.

Better to try it and catch the database error (which might include another unique constraint other than primary key... depending on db design).

link