Remote database over internet + Java Swing app with JDBC != secure?
Conclusion: JAD decompiles things easily and obfuscation would not help you. But you’d have the same problem with C/C++ because the connect string would still be visible in the executable. SSL JDBC network drivers fix the password sniffing problem (in MySQL 4.0), but not the decompile problem. If you have a servlet container on the web server, I would go that route (see other discussion above) then you could at least keep people from reading/destroying your mysql database. Make sure you use database security to limit that app user to the minimum tables that they need, then at least hackers will not be able to reconfigure your DBMS engine. Joe Sam Shirah adds: Aside from encryption issues over the internet, it seems to me that it is bad practise to embed user ID and password into program code. One could generally see the text even without decompilation in almost any language. This would be appropriate only to a read-only database meant to be open to the world. Normally one would either
Related Questions
- Does the database server have to be running Java or have Java support in order for my remote JDBC client app to access the database?
- Relational persistence: Most Java database programmers rely on the proven JDBC API. Why does SAP promote the newer standard, SQLJ?
- Remote database over internet + Java Swing app with JDBC != secure?
