I'm a new comer to JDBC, and also the new project require me to make use of JDBC. What I wish to know is,

may be the JDBC secure?

Preventing "Mysql Injection"-like problem?

Do you know the security problems that I have to give consideration after i use JDBC?

And just how to make sure, I am talking about optimize the safety, to be able to prevent from cyber-terrorist to compromise the database?

EDIT:

I attempted google, basically google:

"php mysql security problems" => it gives lots of result

basically google:

"jdbc mysql security problems" => hardly use whatever related pages

Will it mean, using jdbc is safe? Dont be concerned about being hack?

Use prepared statements. For any hypothetical login you may make use of this, for instance:

PreparedStatement stmt = conn.prepareStatement("SELECT * FROM member WHERE member_username = ? AND member_password = ?");
stmt.setString(1, username);
stmt.setString(2, password);
stmt.execute();

ResultSet rs = stmt.getResultSet();
// ...

This can completely help you avoid SQL Injection weaknesses.

JDBC is really a database connection protocol, it's as secure as other way to connect with database.

Most dependable issues do not have anything related to JDBC protocol itself. For instance, you are able to prevent SQL Injection by utilizing Prepared Statement. This is true regardless of how you connect with the database.

may be the JDBC secure?

The safety of JDBC is really a property from the JDBC driver that you employ. Generally, in case your driver uses an SSL transport layer, it's as secure as the effectiveness of your SSL secrets. Whether it uses an unencrypted transport, it's not secure.

Preventing "Mysql Injection"-like problem?

Whenever you compose an SQL query for JDBC, take care not to incorporate 'raw' strings that may contain embedded SQL. For instance:

String query = "SELECT * FROM SOME_TABLE WHERE X = '" + someString + "' ;";

If someString consists of an unescaped "'" character, what you want to be an SQL literal string could really be transformed into something different. The fix would be to either reject someString whether it consists of any "'" figures (or any other bad guys), or preprocess it having a method that card inserts SQL string escapes.

Another (simpler / more reliable) approach is by using prepared claims with "?" placeholders and inject the values in to the query using setString(...) etc.

Do you know the security problems that I have to give consideration after i use JDBC?

Aside from the above mentioned, I'm not sure of anything specific to JDBC. Indeed neither of the aforementioned issues is specific to JDBC.

And just how to make sure, I am talking about optimize the safety, to be able to prevent from cyber-terrorist to compromise the database?

  1. Buy / read a bestseller on building secure systems.
  2. Be cautious.
  3. Purchase a burglar expert to audit your code / system.

JDBC is purely the transport involving the program and also the database.

It's reasonably secure because the sign up protocol isn't susceptible to network sniffing at, and, it's very, tough to inject anything in to the network traffic.

However JDBC basically transports your SQL towards the database and returns the resulting dataset. In case your program is vulerable to SQL injection it will likely be vulnerable regardless if you are utilizing a direct connection, odbc or jdbc.

The only method to really safeguard yourself against sql injection is by using prepared claims with "?" type place holders for user input. Never string together SQL claims using unsecure input (including both direct user input, and data from the table which was input with a user).

Or make use of the utility method: "org.apache.commons.lang.StringEscapeUtils.escapeSql(java.lang.String str)" to avoid sql-injection from happening.

String sanitation is definitely be best policy to avoid sql-injection or mix-site-scripting attacks.

Always employ area validators, matching some specific regular expressions rules before passing almost anything to the DB acceess api.