This week's book giveaway is in the Mac OS forum. We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line! See this thread for details.
I want to make an applet which directly accesses a MySql database. The database is on the same server from which the applet has been downloaded. Now the problem I am facing is with regard to drivers. I use the Class.forName() method to load the drivers. Now what changes do I need to make to the 1. Applet code 2. The Applet tag 3. The client machine 4. The server to make this method work? I tried changing the codebase attribute and unjarring the jar file containing the driver class file,but still it was throwing a ClassNotFound error. Please help me.
The only changes you need to make concern the applet tag. It needs to have an archive attribute that references the jar file of the driver (which needs to be in the same directory as the applet itself). Don't unjar that file into its constituent classes.
One more question related to applets and JDBC. Would it be advisable to use applets for directly communicating with the database server? What security risks would it pose? One,which I can think of is that I am passing the root password of the database server as an argument to the getConnection() method in my code.Now since applets are run on the clients machine,it might be possible that the client gets hold of the class files and decompiles them to get the password. Is there any remedy to this?
Joined: Mar 22, 2005
You hit the nail on the head - that is precisely the one huge security problem with using JDBC in applets. It may be acceptable in an intranet setting, but I'd recommend not to use JDBC over the public Internet. (An exception may be for clients that perform read-only operations exclusively, and you're using an account that prohibits all change operations. It's debatable, though.)
No decompiling is even necessary - unless SSL is used, all SQL data is transmitted in clear text, so a simple TCP/IP sniffer can record the traffic.
And, of course, never use the DB root password - always create an account that is used only for that particular client, which has only the rights necessary for that client type.