laravel
Add QueryException message handling without replacing bindings.
As mentioned in the discussion https://github.com/laravel/framework/discussions/41920, QueryException message that bind real SQL values is useful for development. But there is security risk, e.g. unintended personal information(email, user name, tel, ...) logging.
This pull request adds support for QueryException message handling with/without replacing bindings.
If we put mask: true parameters to database config, ? masking is not replacing with real SQL value.
I think this pull request help Laravel application more secure.
Example
config/database.php
<?php
return [
'connections' => [
'mysql' => [
'driver' => 'mysql',
// ...
'mask' => true,
],
mask: true
(Connection: , SQL: SELECT * FROM users WHERE id = ?)
mask: false
(Connection: , SQL: SELECT * FROM users WHERE id = 1)
In Eloquent we have toSql or toRawSql!
Maybe it would be interesting to change from mask to raw?
<?php return [ 'connections' => [ 'mysql' => [ 'driver' => 'mysql', // ... 'mask' => true, ],
Just from reading this, to me, it's not entirely clear, that mask is only used for exceptions. Maybe, the key naming should reflect that better
Thank you for review!
How about the following name?
-
hide_bindings_on_exception_message -
hide_bindings_on_error_message -
hide_parameters_on_exception_message -
hide_parameters_on_error_message
Thank you for review!
How about the following name?
hide_bindings_on_exception_messagehide_bindings_on_error_messagehide_parameters_on_exception_messagehide_parameters_on_error_message
There's also mask_{bindings|parameters}_on_{error|exception}_message.
I'd say, using "bindings" and "exception" here feels like the most intuitive, but they are all way better than just "mask" 👍🏻
Thank you for advice!
I fixed the naming from mask to mask_bindings_on_exception_message.