Is JDBC secure?

Question

I am new to JDBC, and the new project require me to use JDBC. What I want to know is,

is the JDBC secure?

How to prevent \"Mysql Injection\"-like problem?<

Answer 1

is the JDBC secure?

The security of JDBC is a property of the JDBC driver that you use. In general, if your driver uses an SSL transport layer, it is as secure as the strength of your SSL keys. If it uses an unencrypted transport, it is not secure.

How to prevent "Mysql Injection"-like problem?

When you compose an SQL query for JDBC, be careful not to incorporate 'raw' strings that might contain embedded SQL. For example:

String query = "SELECT * FROM SOME_TABLE WHERE X = '" + someString + "' ;";

If someString contains an unescaped "'" character, what you intend to be an SQL literal string could actually be changed into something completely different. The fix is to either reject someString if it contains any "'" characters (or other nasties), or preprocess it with a method that inserts SQL string escapes.

Another (simpler / more reliable / more secure) approach is to use a PreparedStatement with "?" placeholders and inject the values into the query using setString(...) etc. With a PreparedStatement, the JDBC driver is guaranteed to use appropriate quoting and escaping to prevent SQL injection.

What are the security issues that I need to pay attention when I use JDBC?

Apart from the above, I don't know of anything specific to JDBC. Indeed neither of the above issues is specific to JDBC.

And how to ensure, I mean optimize the security, in order to prevent from hackers to hack the database?

1. Buy / read a good book on building secure systems.
2. Be careful.
3. Pay for a security expert to audit your code / system.

Answer 2

JDBC is a database connection protocol, it's as secure as all other means to connect to database.

Most secure issues have nothing to do with JDBC protocol itself. For example, you can minimize the risk of SQL Injection by using Prepared Statement. This will be true regardless how you connect to the database.

Answer 3

Always use field validators, matching some specific regular expressions rules before passing anything to the DB acceess api.

Answer 4

JDBC is purely the transport between your program and the database.

It is reasonably secure in as much as the sign on protocol is not vulnerable to network sniffing, and, it is very, very difficult to inject anything into the network traffic.

However JDBC merely transports your SQL to the database and returns the resulting dataset. If your program is vulerable to SQL injection it will be vulnerable whether you are using a direct connection, odbc or jdbc.

The only way to really protect yourself against sql injection is to use prepared statements with "?" type place holders for user input. Never string together SQL statements using unsecure input (this includes both direct user input, and data from a table that was input by a user).

Answer 5

Or you can use the utility method: "org.apache.commons.lang.StringEscapeUtils.escapeSql(java.lang.String str)" to prevent sql-injection from happening.

String sanitation is always be best policy to prevent sql-injection or cross-site-scripting attacks.

Answer 6

Use prepared statements. For a hypothetical login you might use this, for example:

PreparedStatement stmt = conn.prepareStatement("SELECT * FROM member WHERE member_username = ? AND member_password = ?");
stmt.setString(1, username);
stmt.setString(2, password);
stmt.execute();

ResultSet rs = stmt.getResultSet();
// ...

This will completely shield you from SQL Injection vulnerabilities.