I have xdebug set for error tracking and I am seeing an issue on login form . As soon as user tries to login xdebug throws a stack trace with username password. Now question is how to replace those with placeholder characters e.g * , so to avoid loging of username/passwords.
This is not a PRODUCTION SERVER
This is a bit late, but I've been looking for answers to this question and haven't found any. Here's what I've come up with.
Use a setter (or constructor) to pass credentials to your auth model, rather than passing them directly to any function that might have errors:
class Auth
{
protected
$username=null,
$password=null;
...
public function setCredentials($username,$password)
{
$this->username=$username;
$this->password=$password;
}
public function login()
{
$result=false;
//credentials are not passed to this function
//so if something goes wrong they won't end up
//in the stack trace
...retrieve user record from database...
$result=password_verify($this->password,$data['password_hash']));
if($result)
{
...success - finish logging user in...
}
return $result;
}
...
}
The setCredentials function is very simple, there is nothing in there that will cause an exception to be thrown.
The login function doesn't take credentials as parameters, so if something does go wrong, your password won't end up in the stack trace (instead of Auth::login('thisisme','thisismypassword') in the stack trace, you will see Auth::login())
As far as I can tell, the password_verify function won't throw an exception, but if you are paranoid, you could wrap it in a try/catch block:
try
{
$result=password_verify($this->password,$data['password_hash']));
}
catch(Exception $ex)
{
error_log(get_class($this).'::'.__FUNCTION__.': password_verify() failed.');
}
The password hash should have been set up using password_hash()
Hmm, are you really turned on error reporting on production? Such a brave person :)
Disable it! Production should log errors, never show them.