Support the ongoing development of Laravel.io →
awkwardconcepts
posted 9 years ago
Security Eloquent Installation

I was under the impression that $hidden field in the Model class prevented information from being returned by eloquent. My User model has this line:

protected $hidden = [
    'password', 'remember_token',
];

The comment in the Model for the $hidden attribute states: "The attributes that should be hidden for arrays.". However, if I do this

Route::get('profile/{id}', function($id) {
    $user = User::find($id);
    dd($user);
});

I get a User object with the password visible.

Am I misunderstanding this?

I am using Laravel 5.2

Last updated 2 years ago.
0
lagbox
replied 9 years ago

That $hidden is only used when serializing the model. (toJson() toArray()). This only hides 'attributes' of the model. Doing a var_dump is a php level thing that is dumping the actual object.

$model->toArray() will not contain your password field or the remember token.

0

Sign in to participate in this thread!

Eventy

Your banner here too?

awkwardconcepts awkwardconcepts Joined 10 Nov 2014

Moderators

We'd like to thank these amazing companies for supporting us

Eventy NativePHP
Fathom
Forge
Envoyer
Beyond Code
BairesDev
N-iX
Litslink

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X (Twitter) Bluesky Bluesky GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2025 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise