findbugs和数据库密码安全问题 [英] findbugs and database password security issue

问题描述

我正在使用以下代码初始化数据库连接：

I'm using the following code to initialize database connection:

 public Connection getConnection() {
        try {
            if (null == connection) {
                String driverName = "com.mysql.jdbc.Driver"; // MySQL MM JDBC driver
                Class.forName(driverName);

                // Create a connection to the database
                String serverName = "localhost";
                String database = "database";
                String url = "jdbc:mysql://" + serverName + "/" + mydatabase; // a JDBC url
                String username = "username";
                String password = "password";
                connection = DriverManager.getConnection(url, username, password);
            }
            return connection;
        } catch (ClassNotFoundException cnfe) {
            cnfe.printStackTrace();
        } catch (SQLException sqle) {
            sqle.printStackTrace();
        }
        throw new NullPointerException("Cannot establish database connection...");
    }

我知道这样做是不好的做法，我也跑了 FindBugs 针对代码，并出现以下安全问题：
此代码使用硬编码的常量密码创建数据库连接。任何有权访问源代码或编译代码的人都可以轻松学习密码。

and I know it's bad practice to do it, also I ran FindBugs against the code, and got the security issue saying the following: This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can easily learn the password.

什么是初始化数据库连接的最佳方法这种安全漏洞？

What's the best way to initialize database connection without having this security breach?

推荐答案

绝大多数Web应用程序使用硬编码的用户名/密码进行SQL连接。将生产凭证检查到源代码管理中，或者让实习生删除生产数据库的能力通常是不受欢迎的。生产凭证应受到保护，只有特权员工才能访问它们。

The vast majority of Web Applications use a hard-coded username/password for their SQL connection. Checking production credentials into source control, or giving interns the ability to delete the production database is generally frowned upon. Production credentials should be protected, and only privileged employees should have access to them.

Web应用程序通常会泄漏其配置文件。例如，如果.xml文件存储在webroot中，则可以远程访问它： http：//localhost/configs/db_config.xml 。

It is common for web applications to leak their configuration files. For example if a .xml file is stored in the webroot then it can be accessed remotely: http://localhost/configs/db_config.xml.

通常的做法是禁止访问您的数据库（阻止tcp端口3306用于mysql）。实际上，这是PCI-DSS的要求。即使用户名和密码在哪里获得，也没用。

It is common practice to disallow access to your database (block tcp port 3306 for mysql). In fact this is a requirement of the PCI-DSS. Even if the username and password where to be obtained, it would be useless.

这篇关于findbugs和数据库密码安全问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！