如何从jsp到servlet获取值并进行mysql查询

Question

I have login form in index.jsp and login servlet . Depend on privileges if the username and password are correct one of the three .jsp pages are opened ( admin.jsp, user1.jsp, user2.jsp ). In opened .jsp page username of user is showed (${User.username}) . I also have bean "User" which stores user data.

Login servlet

public class Login extends HttpServlet {
 @Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException {
    response.setContentType("text/html;charset=UTF-8");
    PrintWriter out = response.getWriter();
    String username = request.getParameter("username");
    String password = request.getParameter("password");
    User user = new User();
    user.setUsername(username);
    user.setPassword(password);

    try {
        HttpSession session = request.getSession(true);
        Class.forName("com.mysql.jdbc.Driver");
        Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/database","root","");
        Statement stm = conn.createStatement();
        if( !(username.equals("")) && !(password.equals("")) ){
          String query = "SELECT * FROM users WHERE username='"+username+"' AND password='"+password+"'";
          ResultSet res = stm.executeQuery(upit);
          if(res.next()){
              String username = res.getString(2);
              int privileges = res.getInt(9);
              int active = res.getInt(10);
              user.setUsername(username);
              user.setPrivileges(privileges);
              user.setActive(active);

              sesija.setAttribute("user", user);
              if(privileges==1 && active==1){
                    RequestDispatcher r = request.getRequestDispatcher("/admin.jsp");
                    r.forward(request, response);
              }
              ......rest of the code

    }catch(Exception e){
    out.println(e);}
}

In admin.jsp I have line:

<div id="topMenu>${user.username} | <a href="Logout">Logout</a></div>

Bean "User"

public class User {

private String username;
private int privileges;
private int active;



public String getUsername() {
    return username;
}
public void setUsername(String username) {
    this.username = username;
}
public int getPrivileges() {
    return privileges;
}
public void setPrivileges(int privileges) {
    this.privileges = privileges;
}

 public int getActive() {
    return active;
}
public void setActive(int active) {
    this.active = active;
}


}

User has possibility of searching for products in database in accordance with his privileges. After he clicks on the search button I want to retrieve his username and to use for making database query in new servlet. When I put manually username of user in servlet code (in sql query statement) for purpose of code checking, everything works fine and result is generated, but I have problem to obtain value automatically when user hits search button.

Thanks in advance

Answer 1

You should simply store the user name (or rather, its unique ID), in the HTTP session once it's authenticated. That way, for every request coming to the server, you know which user is sending it:

if (res.next()) {
    String username = res.getString(2);
    request.getSession().setAttribute("authenticatedUserName", username);

And every time you need to get the current authenticated user:

String authenticatedUserName = 
    (String) request.getSession().getAttribute("authenticatedUserName");

Side note: learn to use prepared statements . Your code is vulerable to SQL injection attacks, and will break as soon as a user has a single quote in its name or password. Also, don't use an int when what you really want is a boolean (active, for example, should be a boolean).