1 message in com.mysql.lists.javaMySQL and JDBC Security Question| From | Sent On | Attachments |
|---|---|---|
| A. Gulled | 20 Sep 2001 07:21 |
| Subject: | MySQL and JDBC Security Question |
|---|---|
| From: | A. Gulled (gul...@isy.liu.se) |
| Date: | 09/20/2001 07:21:11 AM |
| List: | com.mysql.lists.java |
Hello everyone
Hello everyone
I am developing a web-based DB system for my university and I'm using JDBC and Swing Applet and application for designing the front-end or the interface. The database is working, the front-end is working but the security aspect of the system is quite lacking.
At the moment everyone can update the database over the web which is not in the requirement. I would like only the DB admin (or the stakeholders) to update the tables using either the Swing Application or the Applet. Mysqld is run using another UNIX user other than root and that is the username I used while developing the JDBC code. I can deny the INSERT privilege to this user but this means denying the DB admin. too. We don't want to have two versions of the same program too. The following describes my program and show all the concerned code. There is a button for updating the tables and the code for that is:
updateCoeff = new JButton( "Update" );
// U key used as the mnemomonic the user //can use to simulate the UPDATE button
updateCoeff.setMnemonic(KeyEvent.VK_U); updateCoeff.addActionListener(new UpdateRecord( c, s, t ) ); add( updateCoeff );
Clicking this button triggers an ActionEvent which looks like this:
public void actionPerformed( ActionEvent e ) { try { Statement stmt = connection.createStatement();
if ( ! fields.coeffno.getText().equals( "" ) ) { String query = "UPDATE coefficient SET " + "coeffno='" + fields.coeffno.getText() + "', cost='" + fields.cost.getText() + "', descr='" + fields.descr.getText() + "'"; output.append( "\nSending query: " + connection.nativeSQL( query ) + "\n" );
int result = stmt.executeUpdate( query );
if ( result == 1 ) output.append( "\nUpdate successful\n" ); else { output.append( "\nUpdate failed\n" ); fields.coeffno.setText( "" ); fields.cost.setText( "" ); fields.descr.setText(""); }
stmt.close(); }
and the solution, I think, is that there should be two users with different access privileges. Clicking the Update button should lead to a popup for username and password and the user with the proper privileges is allowed to do the updating, conversely the other is denied the privileges to update or insert into the database . I guess I need another ActionEvent but the experience on security issues concerning JDBC and MySQL is wanting on my part.
Any help from the experts will be will appreciated here. Pointing me to ( or posting ) some useful code would be nice of course.
Gulled