PHP 8.4.3 Released!

    The SensitiveParameter attribute

    (PHP 8 >= 8.2.0)

    Introduction

    This attribute is used to mark a parameter that is sensitive and should have its value redacted if present in a stack trace.

    Class synopsis

    final class SensitiveParameter {
    /* Methods */
    public __construct()
    }

    Examples

    <?php

    function defaultBehavior(
    string $secret,
    string $normal
    ) {
    throw new     Exception('Error!');
    }

    function     sensitiveParametersWithAttribute(
    #[    \SensitiveParameter]
    string $secret,
    string $normal
    ) {
    throw new     Exception('Error!');
    }

    try {
    defaultBehavior('password', 'normal');
    } catch (    Exception $e) {
    echo     $e, PHP_EOL, PHP_EOL;
    }

    try {
    sensitiveParametersWithAttribute('password', 'normal');
    } catch (    Exception $e) {
    echo     $e, PHP_EOL, PHP_EOL;
    }

    ?>

    Output of the above example in PHP 8.2 is similar to:

    Exception: Error! in example.php:7
Stack trace:
#0 example.php(19): defaultBehavior('password', 'normal')
#1 {main}

Exception: Error! in example.php:15
Stack trace:
#0 example.php(25): sensitiveParametersWithAttribute(Object(SensitiveParameterValue), 'normal')
#1 {main}

    Table of Contents

    Found A Problem?

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 1 note

    up
    1
    miqrogroove at gmail dot com
    6 days ago
    Beware this attribute does nothing on object interfaces and will permit password exposure when used incorrectly.

    <?php

    interface Server
    {
    public function     connect(
    #[    \SensitiveParameter]
    string $password,
    );
    }

    class     TestServer implements Server
    {
    public function     connect(
    string $password,
    ) {
    throw new     Exception('Guess what?');
    }
    }

    (    $var = new TestServer())->connect('wrl!L3=6O57T9?r');
    add a note
    To Top