Preventing Mass Assignment in Laravel: Secure Your Models

Previously in this course, we explored understanding CSRF protection to ensure our forms are legitimate. In this lesson, we add another layer of defense: preventing mass assignment.

The Risk of Mass Assignment

When you build a web application, you often want to take the data submitted from a form and save it directly into the database. Eloquent makes this incredibly easy with methods like create() or update().

However, this convenience comes with a major security risk. Suppose your users table has an is_admin column. If you blindly pass the entire request object to the database, a malicious user could inject is_admin=1 into their HTTP request. If your application code accepts all input, the user just promoted themselves to an administrator. This is the essence of a mass assignment vulnerability.

Eloquent is designed to be "secure by default" regarding this. It ignores any input that isn't explicitly allowed to be "mass assigned."

Securing Models with $fillable

To tell Eloquent which attributes are safe to be updated by users, we use the $fillable property inside our model. This acts as a whitelist. Any field not in this array will be ignored during mass assignment, effectively neutralizing the risk of unauthorized data modification.

Let’s apply this to our Task model.

Worked Example: Protecting the Task Model

In our Task Manager project, a user should be able to create a task by providing a title and a description. We do not want them to be able to set the is_completed status or change the user_id arbitrarily.

Open app/Models/Task.php and define the $fillable array:

PHP
namespace App\Models;

use Illuminate\Database\Eloquent\Model;

class Task extends Model
{
    #6A9955">/**
     * The attributes that are mass assignable.
     *
     * @var array<int, string>
     */
    protected $fillable = [
        'title',
        'description',
    ];
}

Now, if a user attempts to send a request containing is_completed => true alongside their title, Eloquent will process the title and description but silently ignore the is_completed field.

When to use $guarded?

Alternatively, you can use the $guarded property. While $fillable is a whitelist (only these fields are allowed), $guarded is a blacklist (these fields are blocked).

PHP
protected $guarded = ['id', 'is_admin'];

I personally prefer $fillable because it forces you to be explicit about what your application expects. If you add a new column to your database, it remains protected by default until you deliberately add it to your $fillable array.

Hands-on Exercise

1. Open your Task model in the app/Models directory.
2. Add the title and description fields to the $fillable array.
3. If you haven't already, ensure your tasks table migration includes these columns.
4. Try to "hack" your own application by sending a hidden input field in your task creation form (e.g., <input type="hidden" name="user_id" value="999">).
5. Check your database after submission; you will see that the user_id remains unchanged or follows your business logic, rather than the malicious input.

Common Pitfalls

• Forgetting to update the array: Many developers add a new column to the migration and then spend an hour debugging why the data isn't saving. Always check the $fillable property when you add new database columns.
• Over-sharing: Don't just put all columns in $fillable to "make it work." Only include fields that the user is actually allowed to modify via a form.
• Mixing $fillable and $guarded: Laravel will throw an error if you define both on the same model. Choose one strategy and stick to it throughout your project.

While this approach covers basic model security, advanced architectures often move toward more complex patterns for data validation and transfer, as discussed in our deep dives into preventing mass assignment with DTOs. By mastering the basics of Eloquent security now, you're building a solid foundation for more robust, production-grade systems.

Recap

Mass assignment occurs when your application accepts broad user input and saves it directly into the database. By using the $fillable property in your Eloquent models, you create a whitelist that ensures only safe, expected data is persisted. This simple configuration is your first line of defense against unauthorized attribute modification.

Up next: Task Manager: Securing the Application.