我在index.jsp
和login servlet
中有登录表单。如果用户名和密码正确,则依赖于权限打开三个.jsp页面之一(admin.jsp, user1.jsp, user2.jsp
)。在打开的.jsp页面中,用户的用户名显示为(${User.username})
。我也有bean" User"它存储用户数据。
登录servlet
public class Login extends HttpServlet {
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
String username = request.getParameter("username");
String password = request.getParameter("password");
User user = new User();
user.setUsername(username);
user.setPassword(password);
try {
HttpSession session = request.getSession(true);
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/database","root","");
Statement stm = conn.createStatement();
if( !(username.equals("")) && !(password.equals("")) ){
String query = "SELECT * FROM users WHERE username='"+username+"' AND password='"+password+"'";
ResultSet res = stm.executeQuery(upit);
if(res.next()){
String username = res.getString(2);
int privileges = res.getInt(9);
int active = res.getInt(10);
user.setUsername(username);
user.setPrivileges(privileges);
user.setActive(active);
sesija.setAttribute("user", user);
if(privileges==1 && active==1){
RequestDispatcher r = request.getRequestDispatcher("/admin.jsp");
r.forward(request, response);
}
......rest of the code
}catch(Exception e){
out.println(e);}
}
在 admin.jsp 中,我有一行:
<div id="topMenu>${user.username} | <a href="Logout">Logout</a></div>
Bean&#34;用户&#34;
public class User {
private String username;
private int privileges;
private int active;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public int getPrivileges() {
return privileges;
}
public void setPrivileges(int privileges) {
this.privileges = privileges;
}
public int getActive() {
return active;
}
public void setActive(int active) {
this.active = active;
}
}
用户可以根据自己的权限在数据库中搜索产品。在他点击搜索按钮后,我想检索他的用户名并用于在新的servlet中进行数据库查询。当我在servlet代码中手动输入用户名(在sql查询语句中)以进行代码检查时,一切正常并生成结果,但是当用户点击搜索按钮时我有问题自动获取值。
提前致谢
答案 0 :(得分:0)
一旦经过身份验证,您应该只在HTTP会话中存储用户名(或者更确切地说,它的唯一ID)。这样,对于每个进入服务器的请求,您都知道哪个用户正在发送它:
if (res.next()) {
String username = res.getString(2);
request.getSession().setAttribute("authenticatedUserName", username);
每次您需要获得当前经过身份验证的用户时:
String authenticatedUserName =
(String) request.getSession().getAttribute("authenticatedUserName");
附注:学会使用prepared statements。您的代码对SQL注入攻击是有趣的,并且只要用户的名称或密码中有单引号就会中断。另外,当你真正想要的是一个布尔值时,不要使用int(例如,激活应该是一个布尔值)。