current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Code Review Stack Exchange is a question and answer site for peer programmer code reviews. It's 100% free, no registration required.
up vote 6 down vote favorite

I would like to know if my java db class is enough protected against hackers. (I'm currently developing an Android application). I protect it with a infos.properties file which contains every information that I need.

final class DB {
static final String DRIVER;
static final String URL;
static final String USER;
static final String PASSWORD;

static {
Properties prop = new Properties();
try {
    prop.load(new FileInputStream("infos.properties"));
} catch (IOException e) {
    e.printStackTrace();
}
DRIVER = prop.getProperty("DRIVER");
URL = prop.getProperty("URL");
USER = prop.getProperty("user");
PASSWORD = prop.getProperty("password");
}

public static ResultSet doQuery(String query)
{
    try {
        Class.forName(DRIVER);
        Connection conn = DriverManager.getConnection(URL, USER, PASSWORD);
        Statement stmt = conn.createStatement();
        ResultSet rs = stmt.executeQuery(query);
        if (rs != null) rs.close();
        if (stmt != null) stmt.close();
        if (conn != null) conn.close();
        return (rs);
    } catch (ClassNotFoundException e) {
        e.printStackTrace();
    } catch (SQLException e) {
        e.printStackTrace();
    }
    return null;
}
}

If it is not enough protected, what should I do then ?

share|improve this question
2  
Its never secure. Ever. –  user30497 11 hours ago
    
Besides what that answers said about the actual security problem, this code has a lot of issues in terms of quality. –  Ingo Bürk 11 hours ago
1  
@IngoBürk Feel free to add another answer addressing those issues! –  Simon André Forsberg 9 hours ago
add comment

2 Answers

up vote 3 down vote accepted

If possible I would try to avoid a method like doQuery(String query). If someone manages to manipulate the query this becomes a classical injection problem.

If you do not need the flexibility to make any kind of db requests, use prepared statements for specific requests which only get some parameters.

share|improve this answer
    
I have got another problem, I can't laod the infos.properties because my android application can't find it, do you know where he have to be ? –  Guest13800 18 hours ago
1  
@Guest13800: I am not an Android developer. Try a search engine or StackOverflow. –  MrSmith42 17 hours ago
add comment
up vote 17 down vote

Do not store the connection information in a file unencrypted

Assuming that you are connecting to a database somewhere on the internet... If you plan on distributing this application, do not store the connection information unencrypted in a file on the user's device. In fact, preferably don't store the database connection information at all.

Do not let your Android application connect directly to your remote database!

It is not recommended to let your Android application, or any other distributed application, connect directly to your database. This is because it is very easy to decompile an application, which would give information about the connection details, your database structure, and a whole lot of other things.

Instead, perform connections to a server-side script or application that is responsible for handling the connection between your Android application and your database. Only let this script/application that only you control deal with the database connection.

Unless you deal with this, any number of prepared statements your application itself uses doesn't matter, as a user could just find out the connection details from your application and then create their own connection to the database server.

share|improve this answer
1  
Depending on exactly what the application is, it may be worth simply using a local database on the Android device. Obviously this doesn't work for all applications, but it doesn't really matter if the user has the DB connection info if the DB is simply local information the user already had access to. At that point, the DB simply becomes a storage medium for keeping state between iterations of the program. –  Brian S 13 hours ago
1  
@BrianS Absolutely, if it's a local database then no harm is done. I assumed that this was a database that is connected to the internet, as the connection information is "protected" inside the infos.properties file. –  Simon André Forsberg 9 hours ago
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.