> ## Documentation Index
> Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SQL Connection Strings

> Detecting and securing database connection strings

## Common Misconfiguration

Hardcoded database connection strings expose your database to unauthorized access and data breaches.

### Vulnerable Example

```java theme={null}
// VULNERABLE - Hardcoded connection strings
public class DatabaseConfig {
    // MySQL connection string
    private static final String MYSQL_URL = "jdbc:mysql://[prod-db.company.com:3306/customers?user=root&password=MyP@ssw0rd123](https://prod-db.company.com:3306/customers?user=root&password=MyP@ssw0rd123)!";
    
    // PostgreSQL with password
    private static final String POSTGRES_URL = "postgresql://dbadmin:SecretPass123!@[postgres.company.com:5432/production](https://postgres.company.com:5432/production)";
    
    // SQL Server connection
    private static final String SQLSERVER_CONN = "Server=sql.company.com;Database=ProductionDB;User Id=sa;Password=AdminP@ss2024;";
    
    // Oracle connection
    private static final String ORACLE_URL = "jdbc:oracle:thin:system/Oracle123@//[oracle.company.com:1521/PRODDB](https://oracle.company.com:1521/PRODDB)";
    
    public Connection getMySQLConnection() throws SQLException {
        return DriverManager.getConnection(MYSQL_URL);
    }
}
```

```yml theme={null}
# VULNERABLE - application.yml with passwords
spring:
  datasource:
    url: jdbc:postgresql://localhost:5432/myapp
    username: postgres
    password: postgres123!
    driver-class-name: org.postgresql.Driver
```

## Secure Example

```java theme={null}
// SECURE - Using environment variables and connection pools
import javax.sql.DataSource;
import com.zaxxer.hikari.HikariConfig;
import com.zaxxer.hikari.HikariDataSource;

// Assume SecretManager and DatabaseCredentials classes exist
// import com.mycompany.SecretManager;
// import com.mycompany.DatabaseCredentials;

public class SecureDatabaseConfig {
    
    private final DataSource dataSource;
    
    public SecureDatabaseConfig() {
        this.dataSource = createDataSource();
    }
    
    private DataSource createDataSource() {
        HikariConfig config = new HikariConfig();
        
        // Read from environment variables (Preferred)
        String dbUrl = System.getenv("DATABASE_URL");
        String dbUser = System.getenv("DATABASE_USER");
        String dbPass = System.getenv("DATABASE_PASSWORD");

        // Example: Or use a secrets management service
        if (dbUrl == null) {
            // This is pseudo-code for a secret manager
            // SecretManager secretManager = new SecretManager();
            // DatabaseCredentials creds = secretManager.getDatabaseCredentials("prod-db");
            // dbUrl = creds.getUrl();
            // dbUser = creds.getUsername();
            // dbPass = creds.getPassword();
        }
        
        config.setJdbcUrl(dbUrl);
        config.setUsername(dbUser);
        config.setPassword(dbPass);
        
        // Configure connection pool
        config.setMaximumPoolSize(10);
        config.setMinimumIdle(5);
        config.setConnectionTimeout(30000);
        
        return new HikariDataSource(config);
    }
}
```

```yml theme={null}
# SECURE - application.yml with placeholders
spring:
  datasource:
    url: ${DATABASE_URL}
    username: ${DATABASE_USER}
    password: ${DATABASE_PASSWORD}
    driver-class-name: org.postgresql.Driver
  
  # Or use Spring Cloud Config Server or Vault
  cloud:
    config:
      uri: [https://config-server.company.com](https://config-server.company.com)
      username: ${CONFIG_SERVER_USER}
      password: ${CONFIG_SERVER_PASSWORD}
```

## Detection Patterns

* MySQL: `` `mysql://[^:]+:[^@]+@` ``
* PostgreSQL: `` `postgres(ql)?://[^:]+:[^@]+@` ``
* SQL Server: `` `(Server|Data Source)=[^;]+;(Password|Pwd)=[^;]+` ``
* Oracle: `` `jdbc:oracle:thin:[^/]+/[^@]+@` ``
* MongoDB: `` `mongodb(\+srv)?://[^:]+:[^@]+@` ``

## Prevention Best Practices

1. **Use Environment Variables:** Never hardcode credentials. Load them from environment variables at runtime.
2. **Use Secrets Management:** Store credentials securely in a dedicated service like HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager.
3. **Use Connection Pooling:** Use a connection pool (like HikariCP) to manage database connections efficiently.
4. **Enable SSL/TLS:** Encrypt data in transit by enforcing SSL/TLS connections to your database.
5. **Minimal Privileges:** Use dedicated database service accounts with the absolute minimum (least-privilege) permissions they need (e.g., `SELECT`, `INSERT` on specific tables, not `root` or `sa`).
6. **Rotate Passwords:** Regularly rotate all database passwords.
7. **Implement Audit Logging:** Enable database audit logging to monitor for suspicious activity.
