FindBugs issue for password

Question

try {
    Class.forName(driver);
    con = DriverManager.getConnection(url + db, user, pass);
    PreparedStatement st = con.prepareStatement(
        "INSERT INTO menu(menu.menuID,menu.name,menu.info,menu.price) values(?,?,?,?)");
    st.setString(1, value1);
    st.setString(2, value2);
    st.setString(3, value3);
    st.setString(4, value4);
    st.executeUpdate();
    JOptionPane.showMessageDialog(p1, "Data is successfully inserted into database.");
    con.close();
} catch (Exception e) {
    JOptionPane.showMessageDialog(p1,
            "Error in submitting data!");
}

I ran FindBugs and this is the bug that is coming on line 3:

Hardcoded constant database password in ie.lyit.flight.Changeadd$3.actionPerformed(ActionEvent)

This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can easily learn the password.

Rank: Scary (7), confidence: Normal Pattern: DMI_CONSTANT_DB_PASSWORD Type: Dm, Category: SECURITY (Security)

I was wondering if anyone knows how to get rid of this bug and how I would go about doing it?

Your code does not include the line FindBugs compaints about. Where is `pass` defined? — , Apr 20 '15 at 12:55
Look at http://stackoverflow.com/questions/3132130/findbugs-and-database-password-security-issue — Alexey Semenyuk, Apr 20 '15 at 12:58
I know that but its just the code I am having difficulty writing. Like to make the password encrypted so that nobody can see the letters when they look at the code.. eg (*********) — reginafalange101, Apr 20 '15 at 13:14

score 0 · Answer 1 · answered Apr 20 '15 at 13:08

Code analysis tools check for any loop-hopes in code along-with looking for best-practices (or violations of them).

While developing, you can ignore such warning, but yes, once you done with your business logic, its always good to apply best practices - in this case read the password from a configuration or properties file.

score 0 · Answer 2 · answered Apr 20 '15 at 13:18

If you are using jtd for connecting database,there is no need to provide username and password for connection.Try below code-

            Connection conn = null;
            String url = "jdbc:jtds:sqlserver://" +serverName+ "/" +"master";
            String driver = "net.sourceforge.jtds.jdbc.Driver";
            Class.forName(driver);
            conn = DriverManager.getConnection(url);

master is database name in my case.Just replace it with yours.

Fabulous! Thank you so much Yash :) – reginafalange101 Apr 20 '15 at 13:21 — reginafalange101, Apr 20 '15 at 13:21

score 0 · Answer 3 · edited May 23 '17 at 11:50

This simply tells you that passwords should not be stored directly in the source code of your application, because it is often shared and not encrypted. Use some external source instead, and even better do not store any passwords, store password hashes only.

You may also look at:

FindBugs issue for password

3 Answers3