I've been working on a Java project for a while now, and before I make it available for public download, I'd like to add in a feature which requires me to connect to a MySQL database. My question is simple: How would I go about hiding the password to the database if the code is open-source?
Asked
Active
Viewed 1,177 times
5
-
You want users of your code to connect directly to your database server and not a MySQL instance they setup themselves? Are you able to give any details as to what sort of feature this is? Could a possible alternate solution be to prop up a restful web service that consumers could connect to and be controlled through without making your database server public to anyone? – Charlie Jan 19 '13 at 06:36
3 Answers
4
Store the database connection settings separate from your code.
ta.speot.is
- 26,914
- 8
- 68
- 96
-
How exactly would I store it in a format that would be unreadable though? – Max Roncace Jan 19 '13 at 06:18
-
1Separate the configuration of your application from the code. When the user deploys the file, make them supply the configuration. You don't need to pull any obfuscation shenanigans that way. – ta.speot.is Jan 19 '13 at 06:19
-
As in, have the user import a separate file? If it's possible, I'd prefer to keep the entire thing contained in one file. – Max Roncace Jan 19 '13 at 06:24
-
No, give them some mechanism for editing your configuration and make them edit it as part of deploying your application. – ta.speot.is Jan 19 '13 at 06:31
-
Note that if Java has some sort of configuration system built in, you could use that rather than worrying about configuration files. You can let the Java runtime handle that responsibility. – ta.speot.is Jan 19 '13 at 10:30
-
Would it work if I included an encrypted version of the password in the code, then had the program request the encryption key from a webserver? – Max Roncace Jan 22 '13 at 00:28
-
@mproncace Probably, but why bother? What's to stop a user setting a debugging proxy like Fiddler up and watching the password come back. Just make a web service to handle sending/receiving data. I think you should rethink why you need to connect to a MySQL database from the client. – ta.speot.is Jan 22 '13 at 00:32
1
You can put the password in some sort of configuration file like an ini file. During the setup/installation stage, get the password from the user and populate it in the configuration file either by code, or allow them to do it manually.
saji89
- 2,093
- 4
- 27
- 49
-
1I don't quite follow... I suppose I should have mentioned that my code is a standalone JAR. – Max Roncace Jan 19 '13 at 06:17
1
As far as I know, there is no correct answer. You can try really hard to obfuscate or hide it, but if the password or a method of calculating it is in your JAR, a persistent and skilled user will find it.
There is a much better answer than I could give here: How can I protect MySQL username and password from decompiling?
Community
- 1
- 1
Cory Kendall
- 7,195
- 8
- 37
- 64
-
I'm a bit confused. If I were to use the code `preferences.put("db_username", username); preferences.put("db_password", password);`, wouldn't the credentials still be hard-coded into the binary? – Max Roncace Jan 20 '13 at 00:24