When handling sensitive data like email addresses, phone numbers, or credit card details, it’s often necessary to mask parts of the string to protect user privacy. Laravel’s Str::mask helper, introduced in Laravel 9, makes this task effortless and expressive.
Let’s explore how Str::mask works, when to use it, and some practical examples to integrate it into your Laravel projects.
🧠 What Is Str::mask?
Str::mask is a method in Laravel’s Illuminate\Support\Str class that replaces a portion of a string with a repeated character (default is *). You control where the masking starts and how many characters to mask.
Syntax:
Str::mask(string $string, string $character, int $index, int $length = null)
$string: The original string to be masked.
$character: The character used for masking.
$index: The position to start masking.
$length: (Optional) Number of characters to mask. If omitted, it masks till the end.
✨ Examples in Action
- Masking an Email Address `use Illuminate\Support\Str;
$email = 'john.doe@example.com';
$masked = Str::mask($email, '*', 0, 8);
echo $masked; // ********@example.com`
This masks the first 8 characters of the email, leaving the domain visible.
2. Masking a Credit Card Number
`$card = '4111 1111 1111 1234';
$masked = Str::mask($card, 'X', 0, 15);
echo $masked; // XXXXXXXXXXXXXXX1234`
Perfect for showing only the last 4 digits.
3. Masking a Phone Number
`$phone = '+91-9876543210';
$masked = Str::mask($phone, '#', 4, 6);
echo $masked; // +91-######3210`
This keeps the country code and last few digits visible.
🛠 Use Cases
User privacy: Mask emails, phone numbers, or usernames in logs or public views.
Security: Obscure sensitive tokens or keys.
Compliance: Meet data protection standards like GDPR or PCI-DSS.
🧪 Pro Tip: Combine with Validation
You can use Str::mask in your form responses or API outputs after validation to ensure sensitive data is never exposed unintentionally.
return response()->json([
'email' => Str::mask($user->email, '*', 0, 5),
]);
🧵 Final Thoughts
Laravel’s Str::mask is a small but powerful tool that helps you write cleaner, safer code when dealing with sensitive strings. It’s expressive, customizable, and fits naturally into Laravel’s philosophy of developer happiness.
If you’re building APIs, admin dashboards, or user-facing apps, consider using Str::mask wherever privacy matters.
Fuel my creative spark with a virtual coffee! Your support keeps the ideas percolating—grab me a cup at Buy Me a Coffee and let’s keep the magic brewing!
Top comments (1)
In the cases of the email and the credit card using PHP functions is more versatile.
str_pad(strrchr($email, '@'), strlen($email), "*", STR_PAD_LEFT), no need to get the position of the ampersand to fill in the index and length arguments of the mask function.str_pad(substr($creditCard, -4), 16, 'X', STR_PAD_LEFT), even easier because it is a constant length.In Laravel it is common to go for the most readable code, but that is not always the best solution.