Java web application DAO writing authenticated UserID and IP Address to DB

Question

I'd like to write to my Oracle DB the user ID and IP address of the logged in user (web app) whenever I perform SQL UPDATEs and INSERTs. Such as

public static int updateUser(STKUser user, STKUser loggedIn) throws DAOException {
  Connection connection = null;
  connection = DB.getConnFromCache();

  PreparedStatement ps = null;

String query = "INSERT INTO xtblPersonnel (pID, pPssWrd, pAdminDate, pAdminIP, pAdminBy) VALUES (?,?,SYSDATE,?,?)";
  try {
    ps = connection.prepareStatement(query);
    ps.setString(1, user.getBadge());
    ps.setString(2, user.getPassword());
    ps.setString(3, loggedIn.getIpAddress());
    ps.setString(4, loggedIn.getBadge());
    return ps.executeUpdate();
  }
  catch (Exception e) {
     System.out.println("SQL Exception inserting new user with badge: " + user.getBadge() + ". Error Message: " + e.getMessage());
     LOGGER.log(Level.INFO, "SQL Exception inserting new user with badge: " + user.getBadge() + ". Error Message: " + e.getMessage(), user);
     throw new DAOException("SQL Exception inserting new user!");
     // return 0;
  }

  finally {
     DB.closePreparedStatement(ps);
     DB.releaseConnToCache(connection);
  }

}

STKuser is a Javabean

My application uses a general Oracle db username and password so that is the reason why I want to record who did the update or insert and from which machine.

Is this an acceptable approach. I used to pass in the session but have realized this is a no no.

Answer 1

Assuming that you're properly closing all DB resources as Connection, Statement and ResultSet in the finally block of the try block where you acquired them and the code is doing what it should do, I don't forsee problems with the approach in question. There is no risk for SQL injections since you're using PreparedStatement, if that was your actual concern. Declaring the method static is however a bit a smell, but then we need to know more about the context the code is running in.