is the JDBC secure?
The security of JDBC is a property of the JDBC driver that you use. In general, if your driver uses an SSL transport layer, it is as secure as the strength of your SSL keys. If it uses an unencrypted transport, it is not secure.
How to prevent "Mysql Injection"-like problem?
When you compose an SQL query for JDBC, be careful not to incorporate 'raw' strings that might contain embedded SQL. For example:
String query = "SELECT * FROM SOME_TABLE WHERE X = '" + someString + "' ;";
If someString contains an unescaped "'" character, what you intend to be an SQL literal string could actually be changed into something completely different. The fix is to either reject someString
if it contains any "'" characters (or other nasties), or preprocess it with a method that inserts SQL string escapes.
Another (simpler / more reliable / more secure) approach is to use a PreparedStatement
with "?" placeholders and inject the values into the query using setString(...)
etc. With a PreparedStatement
, the JDBC driver is guaranteed to use appropriate quoting and escaping to prevent SQL injection.
What are the security issues that I need to pay attention when I use JDBC?
Apart from the above, I don't know of anything specific to JDBC. Indeed neither of the above issues is specific to JDBC.
And how to ensure, I mean optimize the security, in order to prevent from hackers to hack the database?
- Buy / read a good book on building secure systems.
- Be careful.
- Pay for a security expert to audit your code / system.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…