Java Web 应用程序 DAO 将经过身份验证的用户 ID 和 IP 地址写入数据库
每当我执行 SQL 更新和插入时,我想将登录用户(Web 应用程序)的用户 ID 和 IP 地址写入我的 Oracle DB。例如
public static int updateUser(STKUser user, STKUser loggedIn) throws DAOException {
Connection connection = null;
connection = DB.getConnFromCache();
PreparedStatement ps = null;
String query = "INSERT INTO xtblPersonnel (pID, pPssWrd, pAdminDate, pAdminIP, pAdminBy) VALUES (?,?,SYSDATE,?,?)";
try {
ps = connection.prepareStatement(query);
ps.setString(1, user.getBadge());
ps.setString(2, user.getPassword());
ps.setString(3, loggedIn.getIpAddress());
ps.setString(4, loggedIn.getBadge());
return ps.executeUpdate();
}
catch (Exception e) {
System.out.println("SQL Exception inserting new user with badge: " + user.getBadge() + ". Error Message: " + e.getMessage());
LOGGER.log(Level.INFO, "SQL Exception inserting new user with badge: " + user.getBadge() + ". Error Message: " + e.getMessage(), user);
throw new DAOException("SQL Exception inserting new user!");
// return 0;
}
finally {
DB.closePreparedStatement(ps);
DB.releaseConnToCache(connection);
}
}
STKuser 是一个 Javabean
我的应用程序使用通用的 Oracle 数据库用户名和密码,因此这就是我想要记录谁进行更新或插入以及从哪台机器进行更新或插入的原因。
这是一种可以接受的方法吗?我曾经参加过会议,但现在意识到这是不行的。
I'd like to write to my Oracle DB the user ID and IP address of the logged in user (web app) whenever I perform SQL UPDATEs and INSERTs. Such as
public static int updateUser(STKUser user, STKUser loggedIn) throws DAOException {
Connection connection = null;
connection = DB.getConnFromCache();
PreparedStatement ps = null;
String query = "INSERT INTO xtblPersonnel (pID, pPssWrd, pAdminDate, pAdminIP, pAdminBy) VALUES (?,?,SYSDATE,?,?)";
try {
ps = connection.prepareStatement(query);
ps.setString(1, user.getBadge());
ps.setString(2, user.getPassword());
ps.setString(3, loggedIn.getIpAddress());
ps.setString(4, loggedIn.getBadge());
return ps.executeUpdate();
}
catch (Exception e) {
System.out.println("SQL Exception inserting new user with badge: " + user.getBadge() + ". Error Message: " + e.getMessage());
LOGGER.log(Level.INFO, "SQL Exception inserting new user with badge: " + user.getBadge() + ". Error Message: " + e.getMessage(), user);
throw new DAOException("SQL Exception inserting new user!");
// return 0;
}
finally {
DB.closePreparedStatement(ps);
DB.releaseConnToCache(connection);
}
}
STKuser is a Javabean
My application uses a general Oracle db username and password so that is the reason why I want to record who did the update or insert and from which machine.
Is this an acceptable approach. I used to pass in the session but have realized this is a no no.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
假设您在
finally块中正确关闭了所有数据库资源,例如Connection、Statement和ResultSettry块在您获取它们的地方并且代码正在执行它应该执行的操作,我不认为所讨论的方法会出现问题。由于您使用的是PreparedStatement,因此不存在 SQL 注入风险(如果这是您真正关心的问题)。然而,声明方法static有点难闻,但是我们需要更多地了解代码运行的上下文。Assuming that you're properly closing all DB resources as
Connection,StatementandResultSetin thefinallyblock of thetryblock where you acquired them and the code is doing what it should do, I don't forsee problems with the approach in question. There is no risk for SQL injections since you're usingPreparedStatement, if that was your actual concern. Declaring the methodstaticis however a bit a smell, but then we need to know more about the context the code is running in.