Support the ongoing development of Laravel.io →
Security Eloquent Installation

I was under the impression that $hidden field in the Model class prevented information from being returned by eloquent. My User model has this line:

protected $hidden = [
    'password', 'remember_token',
];

The comment in the Model for the $hidden attribute states: "The attributes that should be hidden for arrays.". However, if I do this

Route::get('profile/{id}', function($id) {
    $user = User::find($id);
    dd($user);
});

I get a User object with the password visible.

Am I misunderstanding this?

I am using Laravel 5.2

Last updated 2 years ago.
0

That $hidden is only used when serializing the model. (toJson() toArray()). This only hides 'attributes' of the model. Doing a var_dump is a php level thing that is dumping the actual object.

$model->toArray() will not contain your password field or the remember token.

0

Sign in to participate in this thread!

Eventy

Your banner here too?

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2025 Laravel.io - All rights reserved.