Is this safe ?

Steve Geach Mon, 1 Nov 1999 01:16:37 -0800
Hi all

Find below a snippet of my servlet code. One question: many users will
use this servlet to query our database for info on their products. No
user must see anothers data. Would this code be safe, I suspect I will
have to move the connection into a pool or similar but would like
response on it as it stands please.

Please rip it to shreds as I must understand and guarantee thread
safety, what are the 'golden rules'? The code is for design and test
only.

Thanks

Steve

code below:

public class RepServlet extends HttpServlet
{
   private Connection con   = null;
   private String DBDriver  = "COM.ibm.db2.jdbc.app.DB2Driver";
   private String database  = "jdbc:db2:aDatabase";
   private String user      = "user";     // all users connect through
   private String pwd       = "password"; // same global id + password
   private int product;
   private String SQLQuery1 = "select * from aTable a" +
                              "where  a.prod_no = ";
   private String SQLQuery2 = "with ur";


public void init ( ServletConfig config ) throws ServletException
{
   super.init ( config );
   try
   {
      Class.forName ( DBDriver );
      con = DriverManager.getConnection ( database, user, pwd );
   }
   catch ( ClassNotFoundException e )
   {
     throw new UnavailableException ( this, "Couldn't load driver" );
   }
   catch ( SQLException e )
   {
    throw new UnavailableException ( this, "Couldn't get connection" );
   }
}


public void doGet ( HttpServletRequest req, HttpServletResponse res )
                               throws ServletException, IOException
{
   res.setContentType ( "text/html" );
   ServletOutputStream out = res.getOutputStream ();
   StringBuffer buf = new StringBuffer ();

   getQueryString ( req ); // method in servlet not shown, gets product
   validateUser ( id ) // validation of user method, not shown

   if ( stmt.execute (  ( SQLQuery1 + product + SQLQuery2 ) ) )
   {
         ResultSet rs = stmt.getResultSet ();
         ResultSetMetaData rsmd = rs.getMetaData ();
         while ( rs.next () )
         {
            //use results to produce html output
         }
   }
   else
   {
         buf.append ( "<B>Hmmmm......</B> " );
   }
   res.setContentLength ( buf.length () );
   out.println ( buf.toString () );
   out.flush ();
   out.close ();
}

}

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
Is this safe ?

Reply via email to
