Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add QueryException message handling without replacing bindings. #54203

Draft
wants to merge 1 commit into
base: 11.x
Choose a base branch
from
Draft

Add QueryException message handling without replacing bindings. #54203

wants to merge 1 commit into from
+46 −6

Conversation

tzmfreedom
Copy link

@tzmfreedom tzmfreedom commented Jan 15, 2025
edited
Loading

As mentioned in the discussion #41920, QueryException message that bind real SQL values is useful for development. But there is security risk, e.g. unintended personal information(email, user name, tel, ...) logging.

This pull request adds support for QueryException message handling with/without replacing bindings.
If we put mask: true parameters to database config, ? masking is not replacing with real SQL value.
I think this pull request help Laravel application more secure.

Example

config/database.php

<?php

return [
    'connections' => [
        'mysql' => [
            'driver' => 'mysql',
            // ...
            'mask' => true,
        ],

mask: true

(Connection: , SQL: SELECT * FROM users WHERE id = ?)

mask: false

(Connection: , SQL: SELECT * FROM users WHERE id = 1)

@tzmfreedom tzmfreedom force-pushed the add_query_exception_message_handling branch from b17043f to 5000f6c Compare January 15, 2025 13:17
@tzmfreedom tzmfreedom force-pushed the add_query_exception_message_handling branch from 5000f6c to 8db7967 Compare January 15, 2025 13:21
@ezequidias
Copy link

In Eloquent we have toSql or toRawSql!

Maybe it would be interesting to change from mask to raw?

@shaedrich
Copy link
Contributor

shaedrich commented Jan 15, 2025
edited
Loading 

<?php

return [
    'connections' => [
        'mysql' => [
            'driver' => 'mysql',
            // ...
            'mask' => true,
        ],

Just from reading this, to me, it's not entirely clear, that mask is only used for exceptions. Maybe, the key naming should reflect that better

@taylorotwell
Copy link
Member

Yeah - naming is not super clear.

@taylorotwell taylorotwell marked this pull request as draft January 15, 2025 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tzmfreedom @ezequidias @shaedrich @taylorotwell