Reputation: 733
Risks of Mass Assignment in Laravel
I started using Laravel with 4.0 where mass assignment was available by default... i.e.
$foo = Foo::create('foo' => 'bar', 'bar' => 'foo');
But I think in L4.1 fields available for mass assignment started having to be defined in the model. Now I'm going through a tutorial for L5 since I had learned L4 mostly through trial and error and I'm seeing mass assignment used on a lot of models that I would thing to be rather high risk, such as Users.
I kind of expect to get flagged for asking for an opinion, but I'm unclear on what risks I'm worried about with mass assignment (SQL injection I'm assuming). Or does the fact that I'm defining what is mass assignable in the model take away the risk that was in the L4.0 system?
Upvotes: 0
Views: 383
Answers (1)
Reputation: 152890
The "risk" is that developers often pass Input::all() into the model. Without the protection that the new system with $fillable and $guarded provides, unexpected user input can produce an error (to be exact an SQL error like: column foo not in field list) and it possibly allows the user to insert attributes you didn't want him to set by manipulating the request.
Upvotes: 1
Related Questions
- Laravel and Mass Assignment Protection
- Is mass assignment protection needed when properly using validation?
- Laravel mass assignment ignore guarded
- Laravel do I have to worry about mass assignment when setting field by field
- What are the benefits of mass-assignment and where it shouldn't be used?
- (Laravel) Doubts concerning Mass Assignment protection
- laravel work safely with mass assignments
- Laravel 4 mass assignment guarded not work
- Laravel massive assignment
- Is User::create() safe in Laravel?