Fix Mass Assignment in Laravel

Mass Assignment is a classic 'over-posting' vulnerability. In Laravel, it occurs when you blindly pass a request payload into an Eloquent model. An attacker can inject fields like 'is_admin' or 'balance' into the HTTP request, and if your model isn't locked down, the database will happily update those sensitive columns. It's a direct path to privilege escalation and data corruption.

The Vulnerable Pattern

public function update(Request $request, User $user) {
    // DANGEROUS: Blindly trusting user input. 
    // Attacker can pass {'is_admin': true} in the JSON body.
    $user->update($request->all()); 
}

The Secure Implementation

To neutralize Mass Assignment, you must implement a strict whitelist policy. Use the '$fillable' property on your Eloquent models to define exactly which attributes are safe for mass assignment. Avoid '$guarded' as it acts as a blacklist; if you add new columns to your database later and forget to update the blacklist, you're vulnerable again. Furthermore, never use '$request->all()' inside persistence methods. Always use '$request->only([...])' or, ideally, use Laravel's validation engine to return only the sanitized data keys.

// 1. Define Whitelist in Model
class User extends Model {
    protected $fillable = ['name', 'email', 'password'];
}
// 2. Explicitly Validate and Filter in Controller
public function update(Request $request, User $user) {
$validated = $request->validate([
‘name’ => ‘required|string|max:255’,
‘email’ => ‘required|email|unique:users,email,’ . $user->id,
‘password’ => ‘sometimes|min:8’
]);
// Only the validated data is passed to the update method
$user->update($validated);
}