Automatically redact sensitive data from stack traces in PHP 8.2+.
When exceptions occur in PHP, stack traces include all function parameter values. This means sensitive data like passwords, API keys, and tokens can leak into:
- Error logs
- Monitoring systems (Sentry, Bugsnag, etc.)
- Debug output
- Crash reports
Fatal error: Uncaught Exception: Authentication failed in script.php:5
Stack trace:
#0 script.php(9): authenticate('admin', 'supersecret123')
^^^^^^^^^^^^^^^^
Password exposed!
PHP 8.2 introduced the #[\SensitiveParameter] attribute. When applied to a function parameter, its value is automatically redacted in backtraces.
function authenticate(
string $username,
#[\SensitiveParameter] string $password
) {
// ...
}Fatal error: Uncaught Exception: Authentication failed in script.php:5
Stack trace:
#0 script.php(9): authenticate('admin', Object(SensitiveParameterValue))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Password safely hidden!
# Build the image
docker build -t php-sensitive-parameter .
# Run both demos
docker run --rm php-sensitive-parameter
# Run individually
docker run --rm php-sensitive-parameter php without_sensitive_parameter.php
docker run --rm php-sensitive-parameter php with_sensitive_parameter.phpphp without_sensitive_parameter.php
php with_sensitive_parameter.php| File | Description |
|---|---|
without_sensitive_parameter.php |
Shows the problem: password visible in stack trace |
with_sensitive_parameter.php |
Shows the solution: password redacted |
Apply #[\SensitiveParameter] to any parameter containing:
- Passwords and credentials
- API keys and tokens
- Personal identification numbers
- Credit card numbers
- Any data you wouldn't want in logs