Geek Answers Handbook

How to hide MySQL database password from people using the program

I created a java program with JDBC that successfully connects to my MySQL server MySQL database as follows:

try { // The newInstance() call is a work around for some // broken Java implementations Class.forName("com.mysql.jdbc.Driver").newInstance(); } catch (Exception ex) { // handle the error } try { conn = DriverManager.getConnection(("jdbc:mysql://191.168.1.15:3306/databasename"), "username", "password"); // Do something with the Connection } catch (SQLException ex) { // handle any errors System.out.println("SQLException: " + ex.getMessage()); System.out.println("SQLState: " + ex.getSQLState()); System.out.println("VendorError: " + ex.getErrorCode()); }

However, if someone who wanted to find out the password, it would be very simple with any java decompiler. How could I prevent them from finding a password or even a username, for that matter?

+4
source share
6 answers

When you give your users direct access to your database, you must remember that you have given them direct access to your database. You cannot change this. No amount of encryption or obfuscation can log in so that they have access to your database.

So, you need to consider if you really want them to have access to your database?

  • If you want to provide access to the database, make sure that the permissions are set correctly. For example, if they only need read access, make sure that the user you provide them with read-only access.

  • If you really do not want them to directly access the database, but you want them to have access to the data, do not put the database password in your program at all. For example, you can set up a web service in front of your database and ask your users to access the web service. The web service will have a database password, but your users will not.

+10
source

Not. This is why static passwords are bad.

Typically, in a corporate environment, you authenticate the database using external authentication methods (such as LDAP, Active Directory), and then use the groups that you define for the level of access that your users require.

MySQL supports external authentication methods . MS SQL Server also does.

+1
source

Move the jdbc line to the configuration file separately from your compiled classes or jar file. Thus, if you distribute the code, then you will also need your configuration file.

0
source

It depends on your application. If you want to hide this information, you can create a web service or a web application. This data is safe. Otherwise, you usually do not want them to access your database, and they must set up their own database.

Otherwise, you give them access to your database and this user must have the appropriate permissions necessary for this, and you must check every action in the database.

0
source

The only way to do this is to use an encrypted password and save it in a separate file. To compile it, use webservice.

Or much better. If you do not want the user to know your code, create a complete application through webservice, so the client will get access to the external api, and you do not need to put their banks of business logic on the client machine. This, I believe, is the best way to achieve this.

0
source

I would suggest using a proxy that returns json or xml after the request. Thus, you can create protection from the server, set honeypot traps, create your own encoder decoder for requests, send data via https to prevent listening.

What you can also try is to save the username and password in a string and pass them as variables. then create a complex matrix of similar things and do fairly complex things with it to wear out the hacker so that he loses interest after two hours trying to find your code.

You may also consider entering a password into the dll library of your native library or .so depending on your platform ...

the problem remains, the hacker should only implement his piece of code, and he has full access, so id strongly recommends a proxy.

0
source

More articles:


All Articles