{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Luminary・发光体 的问题《Laravel hidden attributes. e.g. Password - securit》','https://www.manongdao.com/q-516945.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
According to http://laravel.com/docs/eloquent, one can Hide Attributes From Array Or JSON Conversion by using a protected $hidden variable in the Model.
class User extends Eloquent {
protected $hidden = array('password');
}
Great, however when running print_r(User::all()) the encrypted password is sent from server to client inside the User object.
This is not just restricted to print_r(), if the specific user is queried, $user->password will display the encrypted password in the view.
Is there a way of stopping this? Every time my user object is queried, the password will sent with it as part of the data, even though it doesn't need to be.
Illuminate\Database\Eloquent\Collection Object
(
[items:protected] => Array
(
[0] => User Object
(
[hidden:protected] => Array
(
[0] => password
)
[connection:protected] =>
[table:protected] =>
[primaryKey:protected] => id
[perPage:protected] => 15
[incrementing] => 1
[timestamps] => 1
[attributes:protected] => Array
(
[id] => 1
[email] => admin@admin.com
[first_name] => Admin
[last_name] => User
[password] => $2y$10$7Wg2Wim9zHbtGQRAi0z6XeapJbAIoh4RhEnVXvdMtFnwcOh5g/W2a
[permissions] =>
[activated] => 1
[activation_code] =>
[activated_at] =>
[last_login] =>
[persist_code] =>
[reset_password_code] =>
[created_at] => 2013-09-26 10:24:23
[updated_at] => 2013-09-26 10:24:23
)
When you run
User::all(), it returns a Collection object. This Collection contains all your Users in object form. Therefore, your Users will contain their passwords. This is so you can display the hashed password for whatever reason. However, as you said before, if you transform the Collection or Users into arrays or JSON, the password field should be gone if hidden.Therefore, if you want to get rid of them, try running the following:
dd()these both to inspect them. The password field will be gone.This is explained in Laravel's documentation on serialization.
No, because you should NOT do something like that in production (or in the real world).
Your views, written in Blade, can receive a
User::all()result and process it, but that's PHP (server), not HTML (client), and it will transform that data to HTML before it is passed to the client.So this
Is something that you'll never do to show to a user, it's something we use to debug, but it really means nothing.
But if you have any other examples, when sensitive data can be passed through a view to your client, we can discuss that too.
In laravel if you return any model object in controller that represent to any entity will be converted into JSON.
That is useful for API creation, and there hidden fields helps a lot