How can I protect my database password ?

Jay Meyer

This is a very common question. I answered a similiar question at Remote database over internet + Java Swing app with JDBC != secure?

Conclusion: JAD decompiles things easily and obfuscation would not help you. But you'd have the same problem with C/C++ because the connect string would still be visible in the executable.

SSL JDBC network drivers fix the password sniffing problem (in MySQL 4.0), but not the decompile problem. If you have a servlet container on the web server, I would go that route (see other discussion above) then you could at least keep people from reading/destroying your mysql database.

Make sure you use database security to limit that app user to the minimum tables that they need, then at least hackers will not be able to reconfigure your DBMS engine.

Joe Sam Shirah adds: Aside from encryption issues over the internet, it seems to me that it is bad practise to embed user ID and password into program code. One could generally see the text even without decompilation in almost any language. This would be appropriate only to a read-only database meant to be open to the world. Normally one would either force the user to enter the information or keep it in a properties file.

A production quality database will support security and user rights. Also, for more information regarding JDBC and SSL, see: Are there any JDBC drivers available that support using SSL to communicate between the Java program and the database server?