Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add QueryException message handling without replacing bindings. #54203

Draft
wants to merge 1 commit into
base: 11.x
Choose a base branch
from
Draft

Add QueryException message handling without replacing bindings. #54203

wants to merge 1 commit into from
+46 −6

Conversation

tzmfreedom
Copy link

@tzmfreedom tzmfreedom commented Jan 15, 2025
edited
Loading

As mentioned in the discussion #41920, QueryException message that bind real SQL values is useful for development. But there is security risk, e.g. unintended personal information(email, user name, tel, ...) logging.

This pull request adds support for QueryException message handling with/without replacing bindings.
If we put mask: true parameters to database config, ? masking is not replacing with real SQL value.
I think this pull request help Laravel application more secure.

Example

config/database.php

<?php

return [
    'connections' => [
        'mysql' => [
            'driver' => 'mysql',
            // ...
            'mask' => true,
        ],

mask: true

(Connection: , SQL: SELECT * FROM users WHERE id = ?)

mask: false

(Connection: , SQL: SELECT * FROM users WHERE id = 1)

@tzmfreedom tzmfreedom force-pushed the add_query_exception_message_handling branch 2 times, most recently from 5000f6c to 8db7967 Compare January 15, 2025 13:21
@ezequidias
Copy link

In Eloquent we have toSql or toRawSql!

Maybe it would be interesting to change from mask to raw?

@shaedrich
Copy link
Contributor

shaedrich commented Jan 15, 2025
edited
Loading 

<?php

return [
    'connections' => [
        'mysql' => [
            'driver' => 'mysql',
            // ...
            'mask' => true,
        ],

Just from reading this, to me, it's not entirely clear, that mask is only used for exceptions. Maybe, the key naming should reflect that better

@taylorotwell
Copy link
Member

Yeah - naming is not super clear.

@taylorotwell taylorotwell marked this pull request as draft January 15, 2025 19:56
@tzmfreedom
Copy link
Author

tzmfreedom commented Jan 16, 2025
edited
Loading

Thank you for review!

How about the following name?

  • hide_bindings_on_exception_message
  • hide_bindings_on_error_message
  • hide_parameters_on_exception_message
  • hide_parameters_on_error_message

@shaedrich
Copy link
Contributor

shaedrich commented Jan 16, 2025
edited
Loading

Thank you for review!

How about the following name?

  • hide_bindings_on_exception_message
  • hide_bindings_on_error_message
  • hide_parameters_on_exception_message
  • hide_parameters_on_error_message

There's also mask_{bindings|parameters}_on_{error|exception}_message.

I'd say, using "bindings" and "exception" here feels like the most intuitive, but they are all way better than just "mask" 👍🏻

@tzmfreedom tzmfreedom force-pushed the add_query_exception_message_handling branch from 8db7967 to d0164e4 Compare January 16, 2025 11:55
@tzmfreedom
Copy link
Author

Thank you for advice!
I fixed the naming from mask to mask_bindings_on_exception_message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tzmfreedom @ezequidias @shaedrich @taylorotwell