Title: Security problem for Google Sheets Last modified: March 2, 2020 --- # Security problem for Google Sheets * Resolved [codydoby](https://wordpress.org/support/users/codydoby/) * (@codydoby) * [6 years, 3 months ago](https://wordpress.org/support/topic/security-problem-for-google-sheets/) * Google Sheets datasources should be hardened. Find the publicly shared Google Sheets ID can be seen directly from TABLE id. * I want show only several columns of one Google Sheets on my web page. Thus the ID of publicly shared Google should should not be known by visitor. * I modified the code to make the Google Sheets ID be hashed. * ``` /** * Gets the shortcode's ID for output as an HTML ID attribute. * * @param string $key * * @uses sanitize_title_with_dashes() * @uses wp_salt() * * @return string */ private function getDocId ( $key ) { $m = array(); preg_match( self::$gdoc_url_regex, $key, $m ); if ( ! empty( $m[1] ) ) { $id = $m[1]; } else { $id = sanitize_title_with_dashes( $key ); } $id = hash( 'sha256', wp_salt() . "$id" ); if ( 'mysql' === self::getDocTypeByKey( $key ) ) { $p = parse_url( $key ); // Omit the password from the hash. $id = hash( 'sha256', wp_salt() . "{$p['scheme']}://{$p['user']}@{$p['host']}{$p['path']}" ); } return $id; } ``` Viewing 1 replies (of 1 total) * Plugin Author [Meitar](https://wordpress.org/support/users/meitar/) * (@meitar) * [6 years, 3 months ago](https://wordpress.org/support/topic/security-problem-for-google-sheets/#post-12497415) * This is not a security vulnerability, this is how the plugin _works_. Aside from which, your code is not a data protection mechanism, it is a data obfuscation mechanism, that is, it is “[security through obscurity.](https://en.wikipedia.org/wiki/Security_through_obscurity)” * Moreover, as mentioned in the README, this plugin only works with Google Sheets that are publicly shared. Hashing the ID of the Google Sheet document in the way you have simply obscures the ID from visitors browsing _your web site_. It does nothing to stop a Web crawler, visitor, or search engine from accessing the data in your published Google Sheet. * > I want show only several columns of one Google Sheets on my web page. Thus > the ID of publicly shared Google should should not be known by visitor. * This is also incorrect, by which I mean your methodology is unsafe. If you want to publish only a portion of a Google Sheet, you should keep your data in a private Google Sheet and then [`=QUERY()`](https://support.google.com/docs/answer/3093343) for the public sections only from a second, public Google Sheet. This mechanism _actually_ protects your private data, instead of simply obscuring it. Viewing 1 replies (of 1 total) The topic ‘Security problem for Google Sheets’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/inline-google-spreadsheet-viewer. svg) * [Inline Google Spreadsheet Viewer](https://wordpress.org/plugins/inline-google-spreadsheet-viewer/) * [Frequently Asked Questions](https://wordpress.org/plugins/inline-google-spreadsheet-viewer/#faq) * [Support Threads](https://wordpress.org/support/plugin/inline-google-spreadsheet-viewer/) * [Active Topics](https://wordpress.org/support/plugin/inline-google-spreadsheet-viewer/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/inline-google-spreadsheet-viewer/unresolved/) * [Reviews](https://wordpress.org/support/plugin/inline-google-spreadsheet-viewer/reviews/) ## Tags * [Google Sheets](https://wordpress.org/support/topic-tag/google-sheets/) * 1 reply * 2 participants * Last reply from: [Meitar](https://wordpress.org/support/users/meitar/) * Last activity: [6 years, 3 months ago](https://wordpress.org/support/topic/security-problem-for-google-sheets/#post-12497415) * Status: resolved