Reputation: 2262
I created a java program with JDBC that successfully connects to my computer server's MySQL database like this:
try
{
// The newInstance() call is a work around for some
// broken Java implementations
Class.forName("com.mysql.jdbc.Driver").newInstance();
}
catch (Exception ex)
{
// handle the error
}
try
{
conn = DriverManager.getConnection(("jdbc:mysql://191.168.1.15:3306/databasename"), "username", "password");
// Do something with the Connection
}
catch (SQLException ex)
{
// handle any errors
System.out.println("SQLException: " + ex.getMessage());
System.out.println("SQLState: " + ex.getSQLState());
System.out.println("VendorError: " + ex.getErrorCode());
}
However, if someone who wanted to figure out the password, it would be very simple with any java decompiler. How would I be able to prevent them from finding the password, or username even, for that matter?
Upvotes: 5
Views: 13407
Reputation: 28722
I would suggest using a proxy, that returns json or xml after a query. That way you can build in security from server side, set honeypot traps, build your own encoder decoder for the queries, send stuff over https to prevent listeners.
What you could also try is store the username and password in a string and pass them on as variables. then build a complex matrix of similar things and do seemingly complex things with it, to wear down a hacker so he loses interest after two hours trying to find your code.
You could also consider putting the password in a native library dll or .so depending on your platform...
problem stays, a hacker only has to implement your piece of code and he has full blown access, so i’d strongly reccomend the proxy.
Upvotes: 0
Reputation: 4062
The only way to do it is to use a encrypted password and store that in a separate file. To de-compile it use webservice.
Or much better way , If you don't want user to know your code, create complete application through webservice, in that way client will have access to the external api, and you need not to put your business logic jars on client machine. This I suppose is the best way to achieve the case.
Upvotes: 0
Reputation: 838206
When you give your users direct access to your database, then you have to remember that you have given them direct access to your database. You cannot change that. No amount of encryption or obfuscation can take that away that they have access to your database.
So you need to consider, do you really want them to have access to your database?
If you do want to give database access, make sure the permissions are set correctly. For example, if they only need read access, make sure that the user you have given them only has read access.
If you don't actually want them to access the database directly but you want them to have access to the data then don't put the database password in your program at all. You might for example want to set up a web service in front of your database and have your users query the web service. The web service would have the database password, but your users would not.
Upvotes: 10
Reputation: 32170
You don't. This is why static passwords are bad.
Typically what you do in an enterprise environment is authenticate to the database using external authentication methods (e.g., LDAP, Active Directory) and then using groups you determine the level of access your users require.
MySQL does support external authentication methods. MS SQL Server does as well.
Upvotes: 1
Reputation: 12538
That depends on your application. If you want to hide this information you could build a web service or a web application. This data is secure. Otherwise you usually don't want them to access your database and they should configure their own database.
Otherwise you give them access to your database and that user should have the according permissions its requires and you should check every action within the database.
Upvotes: 0
Reputation: 3985
Move the jdbc string into a configuration file separate from your compiled classes and or jar file. This way if you distribute the code then they would also need your configuration file.
Upvotes: 0