将价值传递给arraylist

时间:2014-02-11 17:32:54

标签: java jsp arraylist

这是我的用户验证页面。 我想在检查用户密码和id后传递ArrayList中的用户名。 之后我想在主页面显示名称,但是, 我在主页面中获得空值。 如何在ArrayList中添加用户名?

// DwB: I love sql injection attacks - this is bad.
rs=st.executeQuery("select * from registration where U_ID='"+
    U_ID+"' and Pass='"+Pass+"' ");
while(rs.next()){
    na1=rs.getString("U_ID");
    pw=rs.getString("Pass");
    Name=rs.getString("U_N");}

    if((U_ID.equals(na1))&&(Pass.equals(pw))){
        HttpSession session=request.getSession();
        //List<String> user= new ArrayList<>();
        //String id=(String)session.getAttribute("ID"); 

        //session.setAttribute("loggedIn",Name);

        String username = request.getParameter("Name");
        List<String> users = (List<String>)session.getAttribute("users");

        if(null == users) {
            users = new ArrayList<String>();
        }
        users.add(username);
        session.setAttribute("users", users);
        //response.sendRedirect("Welcome.jsp");

        request.setAttribute("U_ID",na1);
        request.getRequestDispatcher("/Welcome.jsp").forward(request, response);

2 个答案:

答案 0 :(得分:1)

不确定这是否有效,但这里有一些小改动:

版本1 

    rs = st.executeQuery("select * from registration where U_ID='" + uId + "' and Pass='" + pass + "' ");  // changed the variables to lower case

    while (rs.next()) {
        na1 = rs.getString("U_ID");
        pw = rs.getString("Pass");
        name = rs.getString("U_N");
    }

    if ((uid.equalsIgnoreCase(na1)) && (pass.equalsIgnoreCase(pw))) {  // always compare two strings with string.equalsIgnoreCase(otherString);
        // ... do stuff with your list
    }

解释:在Java中,您的变量应该以小写字母开头,当您比较两个字符串时,请将它们与方法string1.euqalsIgnoreCase(string2);进行比较。此方法将逐个比较字符串的每个字符。方法string1.equals(string2)仅比较对象引用,而不是内容。

版本2 

    rs = st.executeQuery("select U_N, COUNT(*) from registration where U_ID='" + uId + "' and Pass='" + pass + "' ");  // count(*) is enough, you don't need all the data from the row + changed the variables to lower case
    rs.next();
    if(rs.getInt(1)>0){ // the username/password kombination exists at least 1 times
       // .. do stuff with your list               
        name = rs.getString("U_N"); 
    }

说明:计算数据库中用户ID和密码与搜索匹配的行就足够了。如果结果集的行数超过0,则表示您的用户已登录

列表中的内容 

    HttpSession session = request.getSession();

    //session.setAttribute("loggedIn",Name);
    String username = request.getParameter("Name");
    ArrayList<String> users = (ArrayList<String>) session.getAttribute("users");  // use ArrayList directly

    if (users == null) { 
        users = new ArrayList<>();  // diamond operator: the type is already given in the declaration
    }
    users.add(username);
    session.setAttribute("users", users);
    //response.sendRedirect("Welcome.jsp");

    request.setAttribute("uId", uId);
    request.getRequestDispatcher("/Welcome.jsp").forward(request, response);
    if (!session.containsKey(arrayListID)) {
    // Place the number the user entered into the session
        session.put(arrayListID, numbersEntered);
    } else {
        ArrayList<Integer> list = (ArrayList<Integer>) session.get(arrayListID);
        list.add(1 /* what you want */);
    // Retrieve session data
    }

解释:这不会改变任何东西,但我只是在if-clause(null == users)中看到你在转换为ArrayList之前实例化List。虽然这是完全允许的,但为什么不直接转换为ArrayList?

答案 1 :(得分:0)

正如所写,从SQL注入攻击漏洞的荣耀中可以看出,当数据库中找不到用户ID和密码时,保证没有任何值添加到ArrayList

此代码if((U_ID.equals(na1))&&(Pass.equals(pw)))没有价值,因为你永远不会得到那个if语句,除非那个雕像已经是真的。您的查询只会找到与用户ID和密码匹配的行。

您的问题可能与区分大小写有关。 考虑更新数据库,使U_ID列全部为大写(或全部小写) 然后适当地调整用户输入的用户ID的大小写(全部大写或全部小写)。

密码区分大小写似乎很好。

相关问题
最新问题