Encrypt sensitive SQL information in java

Question

Encrypt sensitive  SQL information in java

Anonymous User · Accepted Answer

"(1) First of all, the db driver will need to be provided with the username/password unencrypted, so if you're worried about having that information unencrypted in memory, it won't really make a difference. There are generally easier ways of getting access to your db than attempting to scan your memory for username/password strings anyway.(2)If you're making an application where you will be distributing the byte-code (.class files, or .jar files), then people could technically go through that byte-code and find hard-coded strings such as the username/password (but it might be hard to determine what exactly they are even though you have the string).(3)If you're making an application that'll be running on a web server, no one should get access to your byte-code or your memory anyway, and so it shouldn't really be possible (unless they've hacked your server in some way before-hand) for them to get any of this information. You'll likely want to externalise your database connection information in a properties file however so that it can be easily configured by someone administering the software, although that may not be the case depending on your requirements.SQL injection is a completely different question and is a bit too broad for me to try to cover here. I'd recommend you read up on ways of dealing with it, but largely it will boil down to using prepared statements rather than just executing SQL (which will often increase your performance as well)."

Anonymous User · Answer

(1) First of all, the db driver will need to be provided with the username/password unencrypted, so if you're worried about having that information unencrypted in memory, it won't really make a difference. There are generally easier ways of getting access to your db than attempting to scan your memory for username/password strings anyway.

(2)If you're making an application where you will be distributing the byte-code (.class files, or .jar files), then people could technically go through that byte-code and find hard-coded strings such as the username/password (but it might be hard to determine what exactly they are even though you have the string).

(3)If you're making an application that'll be running on a web server, no one should get access to your byte-code or your memory anyway, and so it shouldn't really be possible (unless they've hacked your server in some way before-hand) for them to get any of this information. You'll likely want to externalise your database connection information in a properties file however so that it can be easily configured by someone administering the software, although that may not be the case depending on your requirements.

SQL injection is a completely different question and is a bit too broad for me to try to cover here. I'd recommend you read up on ways of dealing with it, but largely it will boil down to using prepared statements rather than just executing SQL (which will often increase your performance as well).

forum

Encrypt sensitive SQL information in java

Can you answer this question?

1 Answers