patternjavaMajor
Is my Java SQL connection secure from hackers?
Viewed 0 times
securesqljavafromhackersconnection
Problem
I would like to know if my java db class is enough protected against hackers. (I'm currently developing an Android application). I protect it with a infos.properties file which contains every information that I need.
If it is not enough protected, what should I do then ?
final class DB {
static final String DRIVER;
static final String URL;
static final String USER;
static final String PASSWORD;
static {
Properties prop = new Properties();
try {
prop.load(new FileInputStream("infos.properties"));
} catch (IOException e) {
e.printStackTrace();
}
DRIVER = prop.getProperty("DRIVER");
URL = prop.getProperty("URL");
USER = prop.getProperty("user");
PASSWORD = prop.getProperty("password");
}
public static ResultSet doQuery(String query)
{
try {
Class.forName(DRIVER);
Connection conn = DriverManager.getConnection(URL, USER, PASSWORD);
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(query);
if (rs != null) rs.close();
if (stmt != null) stmt.close();
if (conn != null) conn.close();
return (rs);
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException e) {
e.printStackTrace();
}
return null;
}
}If it is not enough protected, what should I do then ?
Solution
Do not store the connection information in a file unencrypted
Assuming that you are connecting to a database somewhere on the internet... If you plan on distributing this application, do not store the connection information unencrypted in a file on the user's device. In fact, preferably don't store the database connection information at all.
Do not let your Android application connect directly to your remote database!
It is not recommended to let your Android application, or any other distributed application, connect directly to your database. This is because it is very easy to decompile an application, which would give information about the connection details, your database structure, and a whole lot of other things.
Instead, perform connections to a server-side script or application that is responsible for handling the connection between your Android application and your database. Only let this script/application that only you control deal with the database connection.
Unless you deal with this, any number of prepared statements your application itself uses doesn't matter, as a user could just find out the connection details from your application and then create their own connection to the database server.
Assuming that you are connecting to a database somewhere on the internet... If you plan on distributing this application, do not store the connection information unencrypted in a file on the user's device. In fact, preferably don't store the database connection information at all.
Do not let your Android application connect directly to your remote database!
It is not recommended to let your Android application, or any other distributed application, connect directly to your database. This is because it is very easy to decompile an application, which would give information about the connection details, your database structure, and a whole lot of other things.
Instead, perform connections to a server-side script or application that is responsible for handling the connection between your Android application and your database. Only let this script/application that only you control deal with the database connection.
Unless you deal with this, any number of prepared statements your application itself uses doesn't matter, as a user could just find out the connection details from your application and then create their own connection to the database server.
Context
StackExchange Code Review Q#49720, answer score: 20
Revisions (0)
No revisions yet.