I am new to JDBC, and the new project require me to use JDBC. What I want to know is,
is the JDBC secure?
How to prevent "Mysql Injection"-like problem?
What are the security issues that I need to pay attention when I use JDBC?
And how to ensure, I mean optimize the security, in order to prevent from hackers to hack the database?
EDIT:
I tried google, if I google:
"php mysql security problems" => it gives a lot of result
if I google:
"jdbc mysql security problems" => hardly see any related pages
Does it mean, using jdbc is secure? Dont need to worry about being hack?
Use prepared statements. For a hypothetical login you might use this, for example:
PreparedStatement stmt = conn.prepareStatement("SELECT * FROM member WHERE member_username = ? AND member_password = ?");
stmt.setString(1, username);
stmt.setString(2, password);
stmt.execute();
ResultSet rs = stmt.getResultSet();
// ...
This will completely shield you from SQL Injection vulnerabilities.
is the JDBC secure?
The security of JDBC is a property of the JDBC driver that you use. In general, if your driver uses an SSL transport layer, it is as secure as the strength of your SSL keys. If it uses an unencrypted transport, it is not secure.
How to prevent "Mysql Injection"-like problem?
When you compose an SQL query for JDBC, be careful not to incorporate 'raw' strings that might contain embedded SQL. For example:
String query = "SELECT * FROM SOME_TABLE WHERE X = '" + someString + "' ;";
If someString contains an unescaped "'" character, what you intend to be an SQL literal string could actually be changed into something completely different. The fix is to either reject someString
if it contains any "'" characters (or other nasties), or preprocess it with a method that inserts SQL string escapes.
Another (simpler / more reliable) approach is to use prepared statements with "?" placeholders and inject the values into the query using setString(...)
etc.
What are the security issues that I need to pay attention when I use JDBC?
Apart from the above, I don't know of anything specific to JDBC. Indeed neither of the above issues is specific to JDBC.
And how to ensure, I mean optimize the security, in order to prevent from hackers to hack the database?
- Buy / read a good book on building secure systems.
- Be careful.
- Pay for a security expert to audit your code / system.
JDBC is a database connection protocol, it's as secure as all other means to connect to database.
Most secure issues have nothing to do with JDBC protocol itself. For example, you can minimize the risk of SQL Injection by using Prepared Statement. This will be true regardless how you connect to the database.
JDBC is purely the transport between your program and the database.
It is reasonably secure in as much as the sign on protocol is not vulnerable to network sniffing, and, it is very, very difficult to inject anything into the network traffic.
However JDBC merely transports your SQL to the database and returns the resulting dataset.
If your program is vulerable to SQL injection it will be vulnerable whether you are using a direct connection, odbc or jdbc.
The only way to really protect yourself against sql injection is to use prepared statements with "?" type place holders for user input. Never string together SQL statements using unsecure input (this includes both direct user input, and data from a table that was input by a user).
Or you can use the utility method: "org.apache.commons.lang.StringEscapeUtils.escapeSql(java.lang.String str)" to prevent sql-injection from happening.
String sanitation is always be best policy to prevent sql-injection or cross-site-scripting attacks.
Always use field validators, matching some specific regular expressions rules before passing anything to the DB acceess api.