0

Lets say I wanna connect to oracle database in my Java application, I will have to write down the jdbc url and put the username and password for that database, I don't know the way to hack this password without the source of the program, but do I have to encrypt? is there a way to encrypt? and what about sql injection?

Ali Bassam
  • 9,691
  • 23
  • 67
  • 117
  • If you don't want the user to have access to the password, don't provide it to them, no matter in which form. If you don't want them to be able to access the DB, then write a front-end process that acts as a gate-keeper to the DB. The application *they* get only contacts the gate-keeper and talks to it in terms of actual business-operations. The gate-keeper validates that it's actually an allowed action and *then* takes the corresponding DB actions. – Joachim Sauer Jul 02 '12 at 12:14
  • What kind of java application is it? Where does it run? – Qwerky Jul 02 '12 at 13:04

3 Answers3

3

You're not really providing enough information to know your full circumstances, but I'll try to break down a few general things you may want to know. First of all, the db driver will need to be provided with the username/password unencrypted, so if you're worried about having that information unencrypted in memory, it won't really make a difference. There are generally easier ways of getting access to your db than attempting to scan your memory for username/password strings anyway.

If you're making an application where you will be distributing the byte-code (.class files, or .jar files), then people could technically go through that byte-code and find hard-coded strings such as the username/password (but it might be hard to determine what exactly they are even though you have the string).

If you're making an application that'll be running on a web server, no one should get access to your byte-code or your memory anyway, and so it shouldn't really be possible (unless they've hacked your server in some way before-hand) for them to get any of this information. You'll likely want to externalise your database connection information in a properties file however so that it can be easily configured by someone administering the software, although that may not be the case depending on your requirements.

SQL injection is a completely different question and is a bit too broad for me to try to cover here. I'd recommend you read up on ways of dealing with it, but largely it will boil down to using prepared statements rather than just executing SQL (which will often increase your performance as well).

Vala
  • 5,628
  • 1
  • 29
  • 55
1

Im working on a registration form in Java and I am running into the same problem. The only thing that makes sense to me is using a php form for sign up that way they don't access your database and only communicate through the server. Instead of giving a user permission to database I somehow envision a one way encryption method that will match the password to a hash only after hashing it when the user types in their password. With some understanding of hacking I feel that any information accessible by the user is a security flaw. The moderators have said numerous times not to store the password in plain text in the source code. SQL has some ways of giving limited db permissions and you could delete information as needed.

Below is a link that I would trust somewhat but its basically leaving yourself a paper trail where the hash must be extracted from a zip file hidden somewhere, retrieved during auth and it can be added to a website

https://www.pkware.com/software/developer-tools/sdk/toolkit-for-java

0

You can encrypt password and store it in a DB or a secured area using AES algorithm.When you construct a JDBC URL , retrieve this information and decrypt it. More information can be had from this link: Java 256-bit AES Password-Based Encryption

SQL Injection is a different kind of vulnerabilities exist in the code as there is no validation done to the data that is used to construct SQL statements.

Community
  • 1
  • 1
UVM
  • 9,776
  • 6
  • 41
  • 66
  • 1
    how would you get the encrypted password from the db if you needed said password to access the db in the first place? – jtahlborn Jul 02 '12 at 12:29
  • @jtahlborn, use a separate table for storing the encrypted password.This can be one time activity.Later on, whenever, it is required, get it from this DB and decrypt it. – UVM Jul 02 '12 at 12:34
  • a separate table? in the same database? using a separate table doesn't solve anything. – jtahlborn Jul 02 '12 at 15:08