Menu
According to http://laravel.com/docs/eloquent, one can Hide Attributes From Array Or JSON Conversion by using a protected $hidden variable in the Model.
class User extends Eloquent {
protected $hidden = array('password');
}
Great, however when running print_r(User::all()) the encrypted password is sent from server to client inside the User object.
This is not just restricted to print_r(), if the specific user is queried, $user->password will display the encrypted password in the view.
Is there a way of stopping this? Every time my user object is queried, the password will sent with it as part of the data, even though it doesn't need to be.
Illuminate\Database\Eloquent\Collection Object
(
[items:protected] => Array
(
[0] => User Object
(
[hidden:protected] => Array
(
[0] => password
)
[connection:protected] =>
[table:protected] =>
[primaryKey:protected] => id
[perPage:protected] => 15
[incrementing] => 1
[timestamps] => 1
[attributes:protected] => Array
(
[id] => 1
[email] => [email protected]
[first_name] => Admin
[last_name] => User
[password] => $2y$10$7Wg2Wim9zHbtGQRAi0z6XeapJbAIoh4RhEnVXvdMtFnwcOh5g/W2a
[permissions] =>
[activated] => 1
[activation_code] =>
[activated_at] =>
[last_login] =>
[persist_code] =>
[reset_password_code] =>
[created_at] => 2013-09-26 10:24:23
[updated_at] => 2013-09-26 10:24:23
)
553
According to http://laravel.com/docs/eloquent, one can Hide Attributes From Array Or JSON Conversion by using a protected $hidden variable in the Model. Great, however when running print_r(User::all()) the encrypted password is sent from server to client inside the User object.
Laravel is a popular development platform that is well known for its performance and the active user community. Out of the box, Laravel is pretty secure – but, of course, no framework could claim to be 100% secure.
Appends is for when you want data that is not available in the database on your model.
When you run User::all(), it returns a Collection object. This Collection contains all your Users in object form. Therefore, your Users will contain their passwords. This is so you can display the hashed password for whatever reason. However, as you said before, if you transform the Collection or Users into arrays or JSON, the password field should be gone if hidden.
Therefore, if you want to get rid of them, try running the following:
$array_of_users = Users::all()->toArray();
$json_of_users = Users::all()->toJson();
dd() these both to inspect them. The password field will be gone.
This is explained in Laravel's documentation on serialization.
66
No, because you should NOT do something like that in production (or in the real world).
Your views, written in Blade, can receive a User::all() result and process it, but that's PHP (server), not HTML (client), and it will transform that data to HTML before it is passed to the client.
So this
print_r(User::all())
Is something that you'll never do to show to a user, it's something we use to debug, but it really means nothing.
But if you have any other examples, when sensitive data can be passed through a view to your client, we can discuss that too.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
