We log all the exception that occurs in our code, with the stack-trace associated.
The problem comes from this function:
public function Authenticate($user, $password) {
// Authenticate the user
}
When an exception is thrown by this function, the stack-trace contains the parameters used: the user password is displayed in plain text.
How can I deal with that? Should I rewrite Authenticate function to accept only encrypted password? Can I disallow this particular parameter to be displayed in stack trace?
Any idea is welcome.
EDIT
I use the getTraceAsString function to log the trace.
You could use Exception::getTrace() method to collect information, and write your own custom getTraceAsString(), not including parameters.
See this example from the comments on Exception::getTrace() docs.
function MakePrettyException(Exception $e) {
$trace = $e->getTrace();
$result = 'Exception: "';
$result .= $e->getMessage();
$result .= '" @ ';
if($trace[0]['class'] != '') {
$result .= $trace[0]['class'];
$result .= '->';
}
$result .= $trace[0]['function'];
$result .= '();<br />';
return $result;
}