Monday, January 7, 2002 12:38 PM
You are exposing your mysql database to hackers.
The problem with the applet connection approach is that a hacker can sniff the mysql connect message and see the mysql user/password that you used to connect. Then he can open his own mysql connection directly to your server using some other mysql client and the user/password he just sniffed. He'll have the same access as the applet to run DELETE FROM ANYTABLE to destroy the mysql data with sql commands, or read all of the data with SELECT * FROM ANYTABLE.
You may also have a technical problem with mysql security. I believe that mysql requires host AND user and when random hosts load the applet, mysql would not have a rule for anyhost:user. Please check the mysql manual for better info but I remember a problem with that.
Consider sticking the JDBC connection inside a servlet and then use the applet to connect to the servlet for the database request (using applet-to-servlet communication). This at least narrows the security risk down so that the hacker cannot use SQL commands right on the mysql server, instead he'd have to figure out what damage he could do by sending requests through the servlet. This would also handle the mysql host/user issue since you would only have to grant mysql access to the servlet server box.