protected collegeTable getCollege(String id, Connection con) throws SQLException { try { ResultSet rs = null; Statement statement = con.createStatement(); rs = statement.executeQuery( "SELECT * FROM " + TABLECOLLEGES + " WHERE " + collegeTable.ID + " = " + id + " LIMIT 1"); // if found if (rs.next()) { collegeTable table = new collegeTable(); table.setID(id); table.setShort(rs.getString(collegeTable.SHORTNAME)); table.setFull(rs.getString(collegeTable.FULLNAME)); return table; } else { return null; // not found } } catch (Exception e) { log.writeException(e.getMessage()); throw new SQLException(e.getMessage()); } } // end getCollege
private String processRequest( HttpServletRequest request, HttpServletResponse response, ConnectionPool conPool) throws Exception { // getting id parameters ParameterParser parameter = new ParameterParser(request); String bookID = parameter.getString(bookInterface.FIELD_ID, null); String sellerID = parameter.getString(bookInterface.FIELD_SELLERID, null); String message = parameter.getString(FIELD_MESSAGE, null); int codeID = parameter.getInt(bookInterface.FIELD_HIDDENID, 0); // get buyer's user object User user = (User) request.getSession().getAttribute(StringInterface.USERATTR); // security feauture: // if one of ids is missing or incorrect return false if (bookID == null || sellerID == null || codeID == 0 || bookID.length() != booksTable.ID_LENGTH || sellerID.length() != usersTable.ID_LENGTH || codeID != Math.abs(bookID.hashCode())) { return "We were unable to find the book you specified! Please make sure that the book id is correct."; } if (user.getID().equals(sellerID)) { return "You may not purchase an item from yourself!"; } // get connection Connection con = conPool.getConnection(); try { booksTable book = generalUtils.getBook(bookID, con); /*security feauture: *check seller id == passed hidden id *book != null */ if (book == null || !book.getSellerID().equals(sellerID)) { return "We were unable to find the book you specified! Please make sure that the book id is correct."; } usersTable sellerInfo = userUtils.getUserInfo(sellerID, con); usersTable buyerInfo = userUtils.getUserInfo(user.getID(), con); collegeTable college = getCollege(book.getCollegeID() + "", con); // if still here continue if (message == null) { request.setAttribute(ATTR_BOOK, book); request.setAttribute(ATTR_SELLER, sellerInfo); request.setAttribute(ATTR_BUYER, buyerInfo); request.setAttribute(ATTR_COLLEGE, college.getFull()); RequestDispatcher rd = getServletContext().getRequestDispatcher(PATH_BUY_CONFIRM); rd.include(request, response); return null; } else if (buy(book, user, con)) { // sending email to buyer request.setAttribute(mailInterface.USERATTR, buyerInfo.getUsername()); request.setAttribute(mailInterface.EMAILATTR, buyerInfo.getEmail()); request.setAttribute(mailInterface.BOOKATTR, book); request.setAttribute("book_id", bookID); request.setAttribute("seller_id", sellerID); RequestDispatcher rd = getServletContext().getRequestDispatcher(PATHBIDCONFIRMATION); rd.include(request, response); // sending email to seller request.setAttribute(ATTR_COLLEGE, college.getFull()); request.setAttribute(mailInterface.USERATTR, sellerInfo.getUsername()); request.setAttribute(mailInterface.EMAILATTR, sellerInfo.getEmail()); request.setAttribute(mailInterface.MESSAGEATTR, message); request.setAttribute(mailInterface.BOOKATTR, book); request.setAttribute(mailInterface.MOREATTR, buyerInfo); request.setAttribute("book_id", bookID); request.setAttribute("buyer_id", user.getID()); rd = getServletContext().getRequestDispatcher(PATHBOOKUPDATE); rd.include(request, response); // showing success message rd = getServletContext().getRequestDispatcher(PATH_BUY_SUCCESS); rd.include(request, response); return null; } else { throw new Exception("failed to process with buy"); } } catch (Exception e) { throw e; } finally { // recycle conPool.free(con); con = null; } }