我想存储我正在开发的WordPress插件需要从API获取信息的服务的API密钥。 我知道有两个选项:
1)WordPress的选项机制
2)创建一个新的数据库表
据我所知,在一天结束时两者都是相同的,因为他们将信息存储在MySQL表中,并且该数据可能被另一个插件访问。
有没有办法存储数据,以便其他插件无法读取?
这是我应该担心的问题吗?
I want to store an API key for a service that the WordPress plugin I am developing needs to get information from an API. There are two options that I am aware of:
1) WordPress's options mechanism
2) Create a new database table
As far as I can tell, at the end of the day both are the same in that they are storing the information in a MySQL table and that data could potentially be accessed by another plugin.
Is there any way to store data so that it cannot be read by other plugins?
Is this even a concern I should be worried about?
最满意答案
插件可能会转储整个数据库并通过电子邮件将其发送给作者,因此以某种方式存储它几乎没用。
这基本上归结为两件事,将它存储在一个外部数据库中,只有你的插件可以访问它,或者只是用盐键进行双向编码/解码,所以你的插件是唯一可以解密的东西。
如果仍然需要从其他插件访问数据库,那么将API密钥存储在PHP文件中。 它不会被替换,但你可以将MySQL从列表中删除。
除非您在Wordpress上安装最差和最不知名的插件,否则您可能应该对您网站的安全性充满信心。 公平地说,如果有人可以访问您的所有用户详细信息和密码以及可能对您的服务器进行FTP访问,那么关注要被盗的API密钥是最不重要的事情。
A plugin can potentially dump your entire database and send it to it's authors through email, so one way or other to store it's pretty much useless.
This boils down essentially to 2 things, store it in an external database, where just your plugin have access to that or just do a two-way encode/decode with a salted key so your plugin it's the only thing can decrypt it.
If database access from other plugins is still a concern then store the API key within your PHP file. It won't be replaceable but you can take MySQL off the list.
On a personal opinion unless you are installing the worst and least known plugins on Wordpress you probably should be quite confident about the security of your website. To be fair probably caring about an API key to be stolen is the least concerning thing when you have someone that could access all your user details and passwords and potentially FTP access to your server.
更多推荐
发布评论