php Laravel 隐藏属性。例如密码 - 安全
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19033925/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Laravel hidden attributes. e.g. Password - security
提问by Gravy
According to http://laravel.com/docs/eloquent, one can Hide Attributes From Array Or JSON Conversion by using a protected $hidden variable in the Model.
根据http://laravel.com/docs/eloquent,可以通过在模型中使用受保护的 $hidden 变量来隐藏来自数组或 JSON 转换的属性。
class User extends Eloquent {
protected $hidden = array('password');
}
Great, however when running print_r(User::all())the encrypted password is sent from server to client inside the User object.
很好,但是在运行时print_r(User::all()),加密密码从服务器发送到用户对象内的客户端。
This is not just restricted to print_r(), if the specific user is queried, $user->passwordwill display the encrypted password in the view.
这不仅限于print_r(),如果查询特定用户,$user->password将在视图中显示加密的密码。
Is there a way of stopping this? Every time my user object is queried, the password will sent with it as part of the data, even though it doesn't need to be.
有没有办法阻止这种情况?每次查询我的用户对象时,密码都会作为数据的一部分与它一起发送,即使它不需要。
Illuminate\Database\Eloquent\Collection Object
(
[items:protected] => Array
(
[0] => User Object
(
[hidden:protected] => Array
(
[0] => password
)
[connection:protected] =>
[table:protected] =>
[primaryKey:protected] => id
[perPage:protected] => 15
[incrementing] => 1
[timestamps] => 1
[attributes:protected] => Array
(
[id] => 1
[email] => [email protected]
[first_name] => Admin
[last_name] => User
[password] => yWg2Wim9zHbtGQRAi0z6XeapJbAIoh4RhEnVXvdMtFnwcOh5g/W2a
[permissions] =>
[activated] => 1
[activation_code] =>
[activated_at] =>
[last_login] =>
[persist_code] =>
[reset_password_code] =>
[created_at] => 2013-09-26 10:24:23
[updated_at] => 2013-09-26 10:24:23
)
回答by searsaw
When you run User::all(), it returns a Collection object. This Collection contains all your Users in object form. Therefore, your Users will contain their passwords. This is so you can display the hashed password for whatever reason. However, as you said before, if you transform the Collection or Users into arrays or JSON, the password field should be gone if hidden.
运行时User::all(),它返回一个 Collection 对象。此集合包含对象形式的所有用户。因此,您的用户将包含他们的密码。这样您就可以出于任何原因显示散列密码。但是,正如您之前所说,如果您将 Collection 或 Users 转换为数组或 JSON,则密码字段如果隐藏就应该消失。
Therefore, if you want to get rid of them, try running the following:
因此,如果您想摆脱它们,请尝试运行以下命令:
$array_of_users = Users::all()->toArray();
$json_of_users = Users::all()->toJson();
dd()these both to inspect them. The password field will be gone.
dd()这两个检查他们。密码字段将消失。
This is explained in Laravel's documentation on serialization.
这在 Laravel 的关于序列化的文档中有解释。
回答by Antonio Carlos Ribeiro
No, because you should NOT do something like that in production (or in the real world).
不,因为您不应该在生产中(或在现实世界中)做类似的事情。
Your views, written in Blade, can receive a User::all()result and process it, but that's PHP (server), not HTML (client), and it will transform that data to HTML before it is passed to the client.
您用 Blade 编写的视图可以接收User::all()结果并对其进行处理,但那是 PHP(服务器),而不是 HTML(客户端),它会在将数据传递给客户端之前将其转换为 HTML。
So this
所以这
print_r(User::all())
Is something that you'll never do to show to a user, it's something we use to debug, but it really means nothing.
是你永远不会向用户展示的东西,它是我们用来调试的东西,但它真的没有任何意义。
But if you have any other examples, when sensitive data can be passed through a view to your client, we can discuss that too.
但是,如果您有任何其他示例,当敏感数据可以通过视图传递给您的客户时,我们也可以讨论。
回答by palash140
In laravel if you return any model object in controller that represent to any entity will be converted into JSON.
That is useful for API creation, and there hidden fields helps a lot
在 Laravel 中,如果您在控制器中返回任何代表任何实体的模型对象,将被转换为 JSON。
这对 API 创建很有用,隐藏字段有很大帮助
