i am writing an application in java and i want to enable it to access a mysql remote server.
my problem is that if the application have the user name and password someone can take them and use my db with a different software.
is there a way of preventing it ?
UPDATE
i found this workaround for connecting to a remote MySQL database from an android device.
you put a service in the middle. like a php page that code the data in JSON format which the android app gets via http.
here is the example i found :
Connecting to MySQL database
Having the username and password is designed specifically to grant access to the database. That's the whole point.
You could go to some extra lengths like restricting database connectivity to specific hosts, so at least your paying customers get access to the database and no else can access it, but your customers might choose to use different software to access the database. There's no way around it except licensing terms.
What you could do is run an intermediary program on your own hardware that connects to the database and restrict access to the database to software that is under your direct administrative control. Your program would validate all requests from software under control of your customers and allow the queries that you want to allow and refuse (and log) the queries you do not have to allow. (You do not need to send raw SQL data back and forth -- you can do any amount of processing on the data and queries.)
You can setup JDBC Data Source on your application server. Here you can see example for Oracle Glassfish.
So, your credential won't be used in your code/resources.
If you are saying that you have an application trying to access a MySQL remotely (not in the same box), then i think you need not worry, as the connection that will be established by your application codes will not expose the username and password when it is trying to authenticate and authorize itself to the MySQL server.
You can limit the access to the MySQL-server so that only certain IP-addresses or IP-ranges have access to it.
As a side note, make sure that the user you use in your application only has the needed permissions to the database. For example, the user might not need to be able to create or delete tables. You can even specify permissions for the user on table and column level.
Related
I have a central SQL server which can be INSERTED INTO and SELECTED from via PHP. However I have built a Java application which I hope to be able to Insert and select stuff in the SQL table with that I have hosted on a web server.
How would I go about doing this? I don't really want to have the root password with JDBC in the source code as even if it is obfuscating it can easily be deobfuscated and then the user has direct access to the database.
Someone said to me that I should use an API but I don't see how I will be able to interact with the database by doing this.
If you already have a PHP application running server side that handles database interaction; I recommend letting that handle if for you.
Write an API in PHP that handles all of the database interactions and send requests to that API from your java application. (I'd probably have the users create an authorization token to pass along to the API as well so you can track who is using your API and limit access).
Your application can then send HTTP(s) POST/GET/etc requests to your PHP that will then handle the database interactions and return the results. Your database username and password will be kept on your server and your application will not need to know them.
If you don't want to rely on a backend service and want your client application to interact directly with the database... You'll probably have to include a username and password in the code. BUT I'd create a separate user in the database with limited accessibility that could be removed anytime you suspect abuse.
I'm very new at programming. I want to make an app where,
1. User1 will make an order (log in as user_profile_1)
2. User2 will work with that order (log in as user_profile_2)
One user shouldn't have access to other's data.
Will SQLite allow me to do that? Seems, database must not run on user's device. And database will always get new records, so we need to update it all the time.
For this case, you have to create a server to store data, I think you should do these things:
Use PHP, NodeJS or some languages server like this to create APIs.
Use a MySQL database or some other database to store data on your server.
Then, different users can log in on their device and you will call your APIs to show what you want.
If you use a SQLite database, the db will be local in the device. The records in the database do not share with other devices.
If you want to access the database from different devices the database will need to exist in a remote server.
You can do differents things:
You can use a database MySql in a remote server with allowed remote access.
You can create a rest api in a LAMP server. You can do this for example with PHP and MySql. You create a GET/POST web page, them pass the data, and the php save the information in the database. You can get the information from the database in the same way, but you should ask to the db in a periodicly time
I'm developing a game in Java and I need need store and get data from mysql database.
Currently I have login credentials saved in my Java app source codes and I'm using some library for the communication. But I think that this is a really unsecured way cause of credentials saved in the Java file.
I was wondering what if I do it through some server side PHP scripts which would just get some information and do what is necessary. But again somebody can get that link and do some evil.
I also thought about creating a new database and mysql user for each user registered. So there would be central database where would be just informations for game and it would be read only. So no security problems. And user informations would be saved in his own database and only he would have login for it. But I see one problem, what if I'll need get some information from another user?
So I was wondering what is the best way to keep it simple and secured?
Define a set of services (RESTful will be good) in server side (through PHP or Java or another programming language) that communicates with the datasource (MySQL or another). Then, from your client, consume these services. Now, you can assure the client and server points for communication like authentication and authorization to consume the services, you can use OAuth for this.
also thought about creating a new database and mysql user for each user registered. So there would be central database where would be just informations for game and it would be read only. So no security problems. And user informations would be saved in his own database and only he would have login for it
This is a no go. Since it's a game, you will have to maintain a single database per user. It's highly costly and you will have more problems than just retrieving the data from another user.
I have a Java application that sends user score to the mysql table. When the user is done, Java app accesses the .php file on server and the .php server performs a query on the database (inserting score).
I am concerned about the (in)security of this method. I mean, if someone finds out the direct url to the .php on a server, they can produce a lot of mess in the dabase. Can you advise how I could prevent the .php from executing the query other than accessed by the Java app?
edit: The problem is that Java application is NOT run on the server, it's run on the user computer using Java Web Launcher platform. So it's not an applet...
The problem is conceptual. You should never be sure that users can't find out the real address (security by obscurity). You could use SSL, still this is no means against a good guess.
Since the Java program is run on the client side, a .htaccess restricting access to a certain IP is also not an option.
My suggestion is to create a separate user in mysql, grant this user access only to necessary tables and perform the database queries on behalf of this user directly in Java. This way all data is encrypted (see http://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html) and no URL/access point is exposed. Of course it means your MySQL server must be reachable from outside which poses a risk, too. You should have a good root password!
I made a java program in which users would be automatically inserted/selected lines into/from one mysql database, but could not modify any existing lines, tables, db, or privilages. I got myself a website and hosted it in 1and1.com, but sadly I found out that its a pain(impossible) to have multiple users for one database and to remotly connect to a database.
I was wondering what are my options here?
I suppose the first one would be to get another host that allows me to do this.
The only other option I can think of is that somehow I manage to send from java the information to my website, and then the website to connect to the database. (not an expert in php, html, or what ever i ahve to do (be by embbedding a browser on my GUI or by doing it under the hood).
This is my first attempt to create a program that connects to an online database, so please be nice.
Note: program worked in localhost.
1&1 support useless.
Almost all (web)applications that use a database, connect to the database with one database user for the whole application. Having a different database user for each user of the application is an uncommon design.
So, you should configure one database user, which the application uses to read from or write to the database; this database user is independent of the users of your application and is shared by all users of your application. There should not be a one-to-one mapping from application users to database users.
There are different reasons for this. One of them is scalability. Most databases cannot handle thousands of connections at the same time. If you have a web app that allows thousands of concurrent users, you don't want to have a database connection with a unique username for each of those users. Instead you want to use a connection pool with a limited number of database connections; the connections in the pool are reused whenever one of the web app users needs to perform an action that accesses the database.