QueryException shouldn't print the SQL in envs where debugging is not desired

[specialtactics]

This is a security oriented request.

The class QueryException has the following code;

    protected function formatMessage($sql, $bindings, Throwable $previous)
    {
        return $previous->getMessage().' (SQL: '.Str::replaceArray('?', $bindings, $sql).')';
    }

It is very useful and I totally support it in any sort of local or testing environment. However, when it comes to production or any production-like environment, it's a bad idea because it gives away too much information to potential bad-actors.

When conducting security audits and penetration testing, this gets flagged 100% of the time - and this has a big impact on enterprise users of Laravel.

My suggestion is to allow tweaking this behaviour on the basis of environment. I am not sure what the most user-friendly way may be, and I think having a new ENV directive just for this is a bit overkill, so I suggest using the APP_DEBUG env directive to decide whether the SQL should be attached to the message or not. This config already has similar effect in other situations, which is also useful for similar reasons, so to me it is a good fit.

If approved, I'm happy to do the PR for this.