Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Eloquent - What is $fillable really for?

Tags:

php

laravel

This is what Laravel document sais :

To get started, you should define which model attributes you want to make mass assignable. You may do this using the $fillable property on the model

So why not just let all the attributes to be assigned by the ->fill()/::create() methods?

like image 482
Vahid2015 Avatar asked Apr 24 '20 05:04

Vahid2015


People also ask

Why $fillable is used in Laravel model?

The fillable property is used inside the model. It takes care of defining which fields are to be considered when the user will insert or update data. Only the fields marked as fillable are used in the mass assignment. This is done to avoid mass assignment data attacks when the user sends data from the HTTP request.

What are accessors and mutators in Laravel?

Accessors and mutators allow you to format Eloquent attributes when retrieving them from a model or setting their value. For example, you may want to use the Laravel encrypter to encrypt a value while it is stored in the database, and then automatically decrypt the attribute when you access it on an Eloquent model.

What is ORM in Laravel?

Eloquent is an object relational mapper (ORM) that is included by default within the Laravel framework. An ORM is software that facilitates handling database records by representing data as objects, working as a layer of abstraction on top of the database engine used to store an application's data.

What is mass assignment in Laravel?

Mass assignment is a process of sending an array of data that will be saved to the specified model at once. In general, you don't need to save data on your model on one by one basis, but rather in a single process. Mass assignment is good, but there are certain security problems behind it.


1 Answers

Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm.

Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended.

This is called a Mass Assignment vulnerability.

And laravel provider fillable for mass-assignment vulnerability, it is a white-list for fields.

A mass-assignment vulnerability occurs when a user passes an unexpected HTTP parameter through a request, and that parameter changes a column in your database you did not expect. For example, a malicious user might send an is_admin parameter through an HTTP request, which is then passed into your model's create method, allowing the user to escalate themselves to an administrator.

like image 117
TsaiKoga Avatar answered Sep 28 '22 16:09

TsaiKoga