Geek Answers Handbook

Database Error Issues and Database Password Security Issues

I use the following code to initialize a database connection:

public Connection getConnection() { try { if (null == connection) { String driverName = "com.mysql.jdbc.Driver"; // MySQL MM JDBC driver Class.forName(driverName); // Create a connection to the database String serverName = "localhost"; String database = "database"; String url = "jdbc:mysql://" + serverName + "/" + mydatabase; // a JDBC url String username = "username"; String password = "password"; connection = DriverManager.getConnection(url, username, password); } return connection; } catch (ClassNotFoundException cnfe) { cnfe.printStackTrace(); } catch (SQLException sqle) { sqle.printStackTrace(); } throw new NullPointerException("Cannot establish database connection..."); }

and I know this is bad practice, and I ran FindBugs against the code and got a security problem: This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can easily learn the password. This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can easily learn the password.

What is the best way to initialize a database connection without compromising security?

+7
java security findbugs
source share
5 answers

The vast majority of web applications use a hard-coded username / password for their SQL connection. Verification of production credentials in the initial inspection or providing trainees with the opportunity to remove the manufacturing base is usually not approved. Production credentials should be protected, and only privileged employees should have access to them.

Common for web applications is leaking configuration files. For example, if the .xml file is stored in webroot, then it can be accessed remotely: http://localhost/configs/db_config.xml .

It is common practice to deny access to your database (block TCP port 3306 for mysql). This is actually a PCI-DSS requirement. Even if a username and password must be obtained, it would be useless.

+1
source share

Read the password from the properties file or LDAP or similar and safe access to them only for the account used to run the software (which no developer should have access to).

+2
source share

Use simple files to store database properties and read them in code instead of hard coding. This is not only clean, but also restricting access to files.

This link may help you.

+2
source share

This code creates a database connection using a hard-coded permanent password.

This security issue occurs because you used the database name, username, and password. But you cannot solve the problem " Anyone who has access to the source code, or compiled code can easily find out the password ." I am sure that U can solve the first problem.

You can use “Properties” to include the name and password of your database with which you could encode the “Properties” object using the setproperty () method.

Now you can include the property object in the getConnection () method:

 conn = DriverManager(url, properyObject);
+1
source share

You can save the password in the configuration file and then encrypt the file / sections of the file using DPAPI if you are using a Windows window. This way, you also won’t have to worry about key management.

0
source share

More articles:


All Articles