Gravy Gravy - 1 year ago 54
PHP Question

Laravel hidden attributes. e.g. Password - security

According to, one can Hide Attributes From Array Or JSON Conversion by using a protected $hidden variable in the Model.

class User extends Eloquent {
protected $hidden = array('password');

Great, however when running
the encrypted password is sent from server to client inside the User object.

This is not just restricted to print_r(), if the specific user is queried,
will display the encrypted password in the view.

Is there a way of stopping this? Every time my user object is queried, the password will sent with it as part of the data, even though it doesn't need to be.

Illuminate\Database\Eloquent\Collection Object
[items:protected] => Array
[0] => User Object
[hidden:protected] => Array
[0] => password

[connection:protected] =>
[table:protected] =>
[primaryKey:protected] => id
[perPage:protected] => 15
[incrementing] => 1
[timestamps] => 1
[attributes:protected] => Array
[id] => 1
[email] =>
[first_name] => Admin
[last_name] => User
[password] => $2y$10$7Wg2Wim9zHbtGQRAi0z6XeapJbAIoh4RhEnVXvdMtFnwcOh5g/W2a
[permissions] =>
[activated] => 1
[activation_code] =>
[activated_at] =>
[last_login] =>
[persist_code] =>
[reset_password_code] =>
[created_at] => 2013-09-26 10:24:23
[updated_at] => 2013-09-26 10:24:23

Answer Source

When you run User::all(), it returns a Collection object. This Collection contains all your Users in object form. Therefore, your Users will contain their passwords. This is so you can display the hashed password for whatever reason. However, as you said before, if you transform the Collection or Users into arrays or JSON, the password field should be gone if hidden.

Therefore, if you want to get rid of them, try running the following:

$array_of_users = Users::all()->toArray();
$json_of_users = Users::all()->toJson();

dd() these both to inspect them. The password field will be gone.