0

I´m in my last phases of my proyect and I´m building a secure app. My doubt here is, I want to be very careful about the security of the table "users", so in my querys I only select the columns that the view need to show, for example the name or the age. But users is related to a table (one to many) and when I query that table (the related one), I can access all the columns in users, and at least I want to protect the password. ¿Is there any way to "hide" the password column from all others querys? Here is the example if it can help: //This shows the user pwd

$top = top_semanal::where('sport',$category)->get();
$top[0]->user->password

//This doesnt

$usuario = user::select('user','email')->where('id', 1)->first();
$usuario->password;

Important detail: I´m not using auth, just my own models. This is my model "user"

    protected $table = "USER";

    public $timestamps = false;

    protected $fillable = [
        'name',
        'email',
        'password',
    ];

    protected $hidden = [
        "password"
    ];

Thank you!

Shadow
  • 33,525
  • 10
  • 51
  • 64
Jorge Garcia
  • 15
  • 4
  • 3
    Surely, you control what gets placed on page, so if you dont display the password how is anyone going to get to see it? – RiggsFolly Nov 02 '22 at 14:03
  • The `hidden` attribute is to hide the values when the models are cast to array or json. They are still accessible when accessed directly. – aynber Nov 02 '22 at 14:04
  • 3
    I fear that this might also mean you are storing passwords on the database in PLAIN TEXT. **V.v.Bad** PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them for the safety of your users. I would assume Laravel provides an internal version of these if you prefer – RiggsFolly Nov 02 '22 at 14:04
  • 2
    What RiggsFolly said, though Laravel also has it's own hash method, `Hash::make($password)`, which works well with Laravel's `Auth` methods. – aynber Nov 02 '22 at 14:07
  • I was gonna say the same thing; the documentation using `password` as the example field for `protected $hidden` when it _should_ be Hashed. Hiding a Hashed field from models cast to an array or JSON always felt like overkill. But yes; to reiterate, it can still be accessed via `->password` (but you control that with your code), and if you're not hiding it, it _should_ be properly Hashed. If you're storing password as plain-text in your database, you need to change that. – Tim Lewis Nov 02 '22 at 14:15
  • @Jorge Garcia when u say "//This shows the user pwd" you mean it actually shows user's password, or it's hash? – ericmp Nov 02 '22 at 14:40
  • Take a look here: https://stackoverflow.com/questions/19852927/get-specific-columns-using-with-function-in-laravel-eloquent, it seems you should specify which columns from the related table you need – Rodrigo Kravetz Nov 02 '22 at 15:20

0 Answers0