GuardAPI Logo
GuardAPI

Fix Mass Assignment in CodeIgniter

Mass Assignment in CodeIgniter (specifically CI4) occurs when an application takes user-provided input and passes it directly to a Model's save, update, or insert methods without filtering. An attacker can exploit this by 'overposting'—injecting extra fields into the HTTP request (like 'is_admin' or 'balance') that the developer never intended to be user-writable.

The Vulnerable Pattern

// Controller: Vulnerable to Overposting
public function updateProfile($id) {
    $userModel = new \App\Models\UserModel();
    $data = $this->request->getPost(); // Grabs all POST data blindly
    $userModel->update($id, $data); // Updates any column matching the POST keys
}

// Model: Insecure if $allowedFields is too broad or missing
protected $allowedFields = [‘username’, ‘email’, ‘password’, ‘role’, ‘is_admin’];

The Secure Implementation

To kill Mass Assignment, you must use the '$allowedFields' property in your CodeIgniter Model as a strict whitelist. Any key passed to update() or insert() that is not in this array will be silently discarded by the framework. For a hardened defense-in-depth approach, never pass the raw getPost() array to the model; instead, use getPost(['field1', 'field2']) in the controller to ensure only specific keys are even processed from the request buffer.

// Model: Strict Whitelisting
class UserModel extends \CodeIgniter\Model {
    protected $table = 'users';
    // Only define fields that are safe for mass input
    protected $allowedFields = ['username', 'email', 'bio']; 
}

// Controller: Explicit Input Mapping
public function updateProfile($id) {
$userModel = new \App\Models\UserModel();
// Explicitly fetch only what you need
$data = $this->request->getPost([‘username’, ‘email’, ‘bio’]);


if ($userModel->update($id, $data)) {
    return redirect()->to('/profile')->with('success', 'Updated.');
}


}

System Alert • ID: 4850
Target: CodeIgniter API
Potential Vulnerability

Your CodeIgniter API might be exposed to Mass Assignment

74% of CodeIgniter apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X