0
0
Laravelframework~10 mins

Mass assignment protection in Laravel - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Mass assignment protection
Receive user input data
Attempt to create/update model with input
Check model's fillable or guarded properties for each field
Allow assignment
Save model
End process
This flow shows how Laravel checks if input data can be assigned to model fields safely, blocking any unallowed fields to protect data.
Execution Sample
Laravel
User::create(['name' => 'Ana', 'role' => 'admin']);

// In User model:
// protected $fillable = ['name'];
This code tries to create a user with name and role, but only 'name' is allowed to be mass assigned.
Execution Table
StepActionInput DataModel fillableAllowed FieldsBlocked FieldsResult
1Receive input{name: 'Ana', role: 'admin'}['name']nameroleProceed to assign
2Check each input fieldname['name']Allowed-Assign 'Ana' to name
3Check each input fieldrole['name']-BlockedPrevent assignment of 'role'
4Create model instance--name-Model created with name='Ana' only
5Save model----User saved in database
6End----Process complete, no mass assignment error
💡 Mass assignment blocked for 'role' field because it is not in fillable array
Variable Tracker
VariableStartAfter Step 2After Step 3Final
inputData{name: 'Ana', role: 'admin'}{name: 'Ana', role: 'admin'}{name: 'Ana', role: 'admin'}{name: 'Ana', role: 'admin'}
fillable[]['name']['name']['name']
allowedFields[]['name']['name']['name']
blockedFields[][]['role']['role']
modelAttributes{}{name: 'Ana'}{name: 'Ana'}{name: 'Ana'}
Key Moments - 2 Insights
Why is the 'role' field not saved even though it was in the input?
Because 'role' is not listed in the model's fillable array, Laravel blocks it to prevent mass assignment. See execution_table step 3 where 'role' is blocked.
What happens if the fillable array is empty?
No fields are allowed for mass assignment, so any attempt to assign input data will be blocked, resulting in no attributes being mass assigned. This is shown by the blockedFields tracking in variable_tracker.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, which field is blocked from assignment?
Aboth name and role
Bname
Crole
Dnone
💡 Hint
Check the 'Blocked Fields' column in execution_table row 3
At which step is the model instance created with allowed fields?
AStep 2
BStep 4
CStep 3
DStep 5
💡 Hint
Look at the 'Result' column in execution_table row 4
If 'role' was added to fillable, what would change in the execution table?
A'role' would be allowed and assigned at step 3
B'role' would still be blocked
CModel creation would fail
DInput data would be empty
💡 Hint
Compare 'fillable' and 'blockedFields' columns in execution_table rows 2 and 3
Concept Snapshot
Mass assignment protection in Laravel:
- Use $fillable array in model to list allowed fields
- Input fields not in $fillable are blocked
- Prevents accidental or malicious data overwrite
- Silently ignores blocked fields
- Always define $fillable or $guarded to secure models
Full Transcript
Mass assignment protection in Laravel helps keep your app safe by controlling which input fields can be assigned to your model all at once. When you try to create or update a model using an array of data, Laravel checks the model's fillable array. Only fields listed there are allowed to be assigned. Others are blocked to prevent unwanted changes. For example, if you try to assign 'name' and 'role' but only 'name' is fillable, Laravel will assign 'name' and block 'role'. This stops users from changing sensitive fields like roles or permissions by accident or attack. The process ends with the model saved with only allowed fields. Always set fillable or guarded properties in your models to keep mass assignment safe.