We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Security di in view


I can't help but wonder if there is a simple way to filter down what is passed to the view so that printing "$this" will not output all my credentials and other stuff in the DI. Should I be worrying about this ?

Thanks in advance.


I would imagine you should only be printing out this if you are debugging so it shouldn't be an issue.

You can try serializing the object to an array if it is a model or a result set to cut down on the output

edited Jan '15

The answer is : I you should only be printing this out if I am debugging so it shouldn't be an issue.

If you are debugging on your local machine or on a dev server which is not accessible from the Internet yeah you can do that. However if you are trying to do this on a production system then you should rethink your stragegy.

Some pointers:

  • When you get the $this and it has username/password information, strip it out unless you desperately need them.
  • Get a local virtual machine that is identical to your production environment. You can do your testing there without exposing anything to the outside world
  • If you really have to mess up with your prod environment, instead of printing stuff on screen, log it to a log file which is not accessible from the outside.