Remote database over internet + Java Swing app with JDBC != secure?
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Bertil_Karlsson
Posted On:   Sunday, January 6, 2002 02:00 PM

I wonder what about security when accesssing a remote mysql database over the internet from a java swing application. What are the security issues here? What can be done to make is secure?

I have managed to access my remote mysql database in my java program, but I am not sure how secure this is.

Thanks!

Re: Remote database over internet + Java Swing app with JDBC != secure?

Posted By:   Jay_Meyer  
Posted On:   Monday, January 7, 2002 12:38 PM

You are exposing your mysql database to hackers.


The problem with the applet connection approach is that a hacker can sniff the mysql connect message and see the mysql user/password that you used to connect. Then he can open his own mysql connection directly to your server using some other mysql client and the user/password he just sniffed. He'll have the same access as the applet to run DELETE FROM ANYTABLE to destroy the mysql data with sql commands, or read all of the data with SELECT * FROM ANYTABLE.


You may also have a technical problem with mysql security. I believe that mysql requires host AND user and when random hosts load the applet, mysql would not have a rule for anyhost:user. Please check the mysql manual for better info but I remember a problem with that.


Consider sticking the JDBC connection inside a servlet and then use the applet to connect to the servlet for the database request (using applet-to-servlet communication). This at least narrows the security risk down so that the hacker cannot use SQL commands right on the mysql server, instead he'd have to figure out what damage he could do by sending requests through the servlet. This would also handle the mysql host/user issue since you would only have to grant mysql access to the servlet server box.

About | Sitemap | Contact