Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Laravel hidden attributes. e.g. Password - security

According to http://laravel.com/docs/eloquent, one can Hide Attributes From Array Or JSON Conversion by using a protected $hidden variable in the Model.

class User extends Eloquent {
    protected $hidden = array('password');
}

Great, however when running print_r(User::all()) the encrypted password is sent from server to client inside the User object.

This is not just restricted to print_r(), if the specific user is queried, $user->password will display the encrypted password in the view.

Is there a way of stopping this? Every time my user object is queried, the password will sent with it as part of the data, even though it doesn't need to be.

Illuminate\Database\Eloquent\Collection Object
(
[items:protected] => Array
    (
        [0] => User Object
            (
                [hidden:protected] => Array
                    (
                        [0] => password
                    )

                [connection:protected] => 
                [table:protected] => 
                [primaryKey:protected] => id
                [perPage:protected] => 15
                [incrementing] => 1
                [timestamps] => 1
                [attributes:protected] => Array
                    (
                        [id] => 1
                        [email] => [email protected]
                        [first_name] => Admin
                        [last_name] => User
                        [password] => $2y$10$7Wg2Wim9zHbtGQRAi0z6XeapJbAIoh4RhEnVXvdMtFnwcOh5g/W2a
                        [permissions] => 
                        [activated] => 1
                        [activation_code] => 
                        [activated_at] => 
                        [last_login] => 
                        [persist_code] => 
                        [reset_password_code] => 
                        [created_at] => 2013-09-26 10:24:23
                        [updated_at] => 2013-09-26 10:24:23
                    )
like image 553
Gravy Avatar asked Sep 26 '13 16:09

Gravy


People also ask

What is protected hidden in laravel?

According to http://laravel.com/docs/eloquent, one can Hide Attributes From Array Or JSON Conversion by using a protected $hidden variable in the Model. Great, however when running print_r(User::all()) the encrypted password is sent from server to client inside the User object.

How secure is laravel authentication?

Laravel is a popular development platform that is well known for its performance and the active user community. Out of the box, Laravel is pretty secure – but, of course, no framework could claim to be 100% secure.

What is append in laravel?

Appends is for when you want data that is not available in the database on your model.


2 Answers

When you run User::all(), it returns a Collection object. This Collection contains all your Users in object form. Therefore, your Users will contain their passwords. This is so you can display the hashed password for whatever reason. However, as you said before, if you transform the Collection or Users into arrays or JSON, the password field should be gone if hidden.

Therefore, if you want to get rid of them, try running the following:

$array_of_users = Users::all()->toArray();
$json_of_users = Users::all()->toJson();

dd() these both to inspect them. The password field will be gone.

This is explained in Laravel's documentation on serialization.

like image 66
searsaw Avatar answered Oct 11 '22 10:10

searsaw


No, because you should NOT do something like that in production (or in the real world).

Your views, written in Blade, can receive a User::all() result and process it, but that's PHP (server), not HTML (client), and it will transform that data to HTML before it is passed to the client.

So this

print_r(User::all())

Is something that you'll never do to show to a user, it's something we use to debug, but it really means nothing.

But if you have any other examples, when sensitive data can be passed through a view to your client, we can discuss that too.

like image 29
Antonio Carlos Ribeiro Avatar answered Oct 11 '22 09:10

Antonio Carlos Ribeiro