I'm in the process of reworking the database layer of a legacy PHP application utilizing Laravel's Eloquent ORM (and related packages).
On occasion, I will forget to call the get method (or other similar method which returns a collection) when working with a model. In the course of debugging, if I call var_dump on the query builder object it dumps a bunch of sensitive information such as database username / password:
//Trying to access User model, but forgot to use get method
$test = User::where('name', 'Joe');
//Dump a Illuminate\Database\Eloquent\Builder object with all its sensitive bits out
var_dump($test);
I'm wondering if there is some safeguard that I can put in place to prevent this information from being displayed so that on the off chance that some debugging code like this gets pushed to production I don't end up offering up my db password to users.
You can use PHPMD with a rule like Development Code Fragment. You will want to run this every time before pushing up to production.
Functions like var_dump(), print_r() etc. are normally only used during development and therefore such calls in production code are a good indicator that they were just forgotten.
Example:
class SuspectCode {
public function doSomething(array $items)
{
foreach ($items as $i => $item) {
// …
if ('qafoo' == $item) var_dump($i);
// …
}
}
}
This rule has the following properties:
Malformed table. Text in column margin in table line 4.
=================================== =============== ==================================================
Name Default Value Description
=================================== =============== ==================================================
unwanted-functions var_dump,print_r,debug_zval_dump,debug_print_backtrace Comma separated list of suspect function images.
=================================== =============== ==================================================