ENCRYPT SENSITIVE SQL INFORMATION IN JAVA

Samuel Fernandes

Total Post:159

Points:1117
Posted by  Samuel Fernandes
 559  View(s)
Ratings:
Rate this:
I have connected  oracle database in my Java application, I will have to write down the jdbc url and put the username and password for that database, I don't know the way to hack this password without the source of the program, but do I have to encrypt? is there a way to encrypt? and what about sql injection?
  1. Mayank Tripathi

    Post:397

    Points:3117
    Re: Encrypt sensitive SQL information in java

    (1) First of all, the db driver will need to be provided with the username/password unencrypted, so if you're worried about having that information unencrypted in memory, it won't really make a difference. There are generally easier ways of getting access to your db than attempting to scan your memory for username/password strings anyway.

    (2)If you're making an application where you will be distributing the byte-code (.class files, or .jar files), then people could technically go through that byte-code and find hard-coded strings such as the username/password (but it might be hard to determine what exactly they are even though you have the string).

    (3)If you're making an application that'll be running on a web server, no one should get access to your byte-code or your memory anyway, and so it shouldn't really be possible (unless they've hacked your server in some way before-hand) for them to get any of this information. You'll likely want to externalise your database connection information in a properties file however so that it can be easily configured by someone administering the software, although that may not be the case depending on your requirements.

    SQL injection is a completely different question and is a bit too broad for me to try to cover here. I'd recommend you read up on ways of dealing with it, but largely it will boil down to using prepared statements rather than just executing SQL (which will often increase your performance as well).

Answer

NEWSLETTER

Enter your email address here always to be updated. We promise not to spam!