Java MySQL security question

roland · September 13, 2011, 4:24am

Hi, I am interested in using a MySQL for certain things in my applets, but do not understand much about it.

The link below has an example on how to do it, but the username and password are in the applet, does this mean the mysql account could easily be hacked?
http://www.java2s.com/Code/Java/Database-SQL-JDBC/AppletJDBC.htm

Is there a better way to do it?
Thanks,
roland

ReBirth · September 13, 2011, 5:03am

Not absolutely true.

If you just concern about the username and password, try to play with those String. You can crypt it or write them as byte in your code. The sample provided on that link is enough I think. To better, you can use servlet but it seems out of question.

Mike · September 13, 2011, 5:36am

Depending on what you want to do with mysql it might or might not be okay to connect from an applet to a mysql server. If the only thing you want to do is run selects and you set up the mysql account to only run selects then it’s not horribly bad but I don’t recommend doing it anyway. If you want to do anything else (update/insert/delete) then you shouldn’t put the connnection in the applet. This due to the username and password being available to anyone with some decompile/compile skills.

If you want to use a database use the server as an application server (php/tomcat/servlet and so on) and let that one connect to the database as there is no such thing as applet security :point:.

Mike

Cero · September 13, 2011, 10:16am

on a first look, obviously, the only line thats dangerous is

"jdbc:mysql://192.168.1.25/accounts?user=spider&password=spider"

which is plaintext and showing the data

now you can just encrypt and then decrypt only this string, using whatever

in internet security I have actually only dealt with hashes like sha512, which isnt an option for you, as hashes cannot be “decoded”

so RSA should be an option, or even SSH somehow

princec · September 13, 2011, 10:41am

If you’ve got a MySQL database exposed to the internet (ie. applets) you’re in trouble. Save yourself a load of headaches and go through a middle layer and keep the database away from the front line. My advice would be to use http in the applet (easily gets through proxies and firewalls) and a servlet engine on your webserver which talks to a private database or firewalled database only accessible from certain IP addresses.

Cas

roland · September 13, 2011, 11:30am

Thanks for the info everyone I will take your advice princec, and until I can pay for a server I will stick with http/php scripts

ReBirth · September 15, 2011, 3:02am

Talking about decompile, maybe servlet and applet are same with their java code dan class file. But a servlet is (usually) saved under WEB-INF directory on server, which cant be accessed without making same efforts.