我目前正在为大学作业编写程序,我们需要使用 JDBC 连接到 MySQL 数据库。
考虑到数据库密码必须以某种形式暴露给程序,以便程序访问数据库,您肯定不如首先将密码交给黑客吗?
我是对的,还是我错过了什么?
If you're concerned about the security of your JDBC connections, encrypt them. http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-using-ssl.html
You'll pay a performance penalty, but this is the alternative to plain text. According to the MySQL documentation:
The performance penalty for enabling SSL is an increase in query processing time between 35% and 50%, depending on the size of the query, and the amount of data it returns.
This option is available with most SQL and noSQL databases.
The password must be exposed to the application, that's for sure, otherwise how is your application connect to the DB?
But this is not a big security flaw. The machine where the application runs is what must be secure at all costs. This is the main thing! If a hacker or even a naive user has access to the machine where the application runs, they could wreck havoc in your systems even without knowing much at all if they have enough privileges. Once a person has access to your application's source code AND to the machine it's running on, there's just no way in the world you can make it secure, unless maybe if you have a very good user account management system.
You can externalize the password to a text file and store it hashed, maybe even with a salt, which is basically the best/most used way I know of... but this just makes the life of someone who has access to your machine slightly harder... having access to the source code they can still break into your database if they are smart, or if they are not, they can simply delete or corrupt it.
So there's nothing wrong with JDBC... if you disagree, please convince the millions of users of JDBC otherwise. Security is not something you build on a single technology. It involves protecting ALL of your systems and adding layer after layer of protection at each different node, but beware that each layer of protection compromises more and more usability and flexibility (this is the reason people don't just add 1000 layers of passwords on top of an application/database, it's just impractical and mostly unnecessary, even).
JDBC是 Java 应用程序用来连接数据库系统的标准 API。它非常成熟、可靠并在 Java 社区中广泛使用。
虽然,某些应用程序通过在源代码中公开(例如)数据库连接凭据来不当使用 API。
在如何保护 MySQL 用户名和密码不被反编译? 这个设计问题有一个很好的解释和一些解决它的建议:比如将数据库凭证存储在应用程序外部的文件中并采用多层架构。