Support the ongoing development of Laravel.io →
Security Eloquent
Last updated 1 year ago.
0

Why could you not assign this key like the way you've shown ? Mass assignment protects from filling an array of attributes using fill(), create() or update() methods so if you pass something like this:

$book = Book::create(Input::all());

and you have mass assignment protection you will not be able to pass fields in the input that you would not want the user to be allowed to set.

But if you use code like :

$book->id_book_category = \Input::get('id_book_category');

it does work exacly as you would like to, it assigns value to the $book->id_book_category as it does not check if this field is protected against mass assignment. Hopefully you get the idea.

0

Thanks for your answer. I got one more question to you. If i have an object with much fields like 10 or 15 fields and i'm doing it like this:

$data = \Input::all();
$book = new Book();

$validateBook = $book->validate($data);

//pseudocode
if (validate_success) {
$book->fill($data);
$book->save();
} else {
...
}

How i can mass assign fields in object including guarded fields?

0

You can for example do something like:

foreach($data as $key=>$value){
    $book->setAttribute($key, $value);
}
0

Ok, so why better idea is: foreign keys are guarded and i must use foreach for assign input data into my object.

Instead of: Foreign keys aren't guarded and whole input data (after validation) i can assign with one line of code:

$obj->fill($data);
//here some other operations
$obj->save();

Sorry for that my all questions but I'm trying understand Eloquent ;).

Last updated 9 years ago.
0

You can answer this question by yourself if you understand the mass assignment vulnerability. Will you ever be happy if user will be able to modify the request and for example pass user_id=3 into your request and modyfing id of user that your book belongs to ? I don't think so.

0

You have right but if my primary key didn't in fillable var we can't modify it, right? Foreign keys can be changed by user why not? For example administrator can move your account from user group into moderators group ;).

0

There is never a situation where you can't modify a field on the model. If you protect some field from being mass assignment and thus protecting it from being filled like with ->fill(Input::all() you can always manually assign any attribute by either just setting it like ->user_id = 1 or by using ->setAttribute('user_id', 1) which actually do exacly the same under the hood.

0

Ok so my last question :). When I update some object with PATCH method I got only fields that has changed but i don't know exactly which changed. How can i assign them? I know that i can do that:

foreach (\Input::all() as $key => $val) {
$obj->setAttribute($key, $val);
}

But there is the same problem (as in my new $obj(\Input::all) without guarded) that you wrote - we can overwrite guarded fields.

Last updated 9 years ago.
0

You mean that you are using resourceful controller and call like obj/{id} route with PATCH http method ? You are clearly missunderstanding something as the PATCH request type is called only to get to the proper method on controller which is update().Then you get the $id of object as parameter so you can find the model in database and perform the same thing like you do when creating object, the only difference is that instead of creating new record you will perform update on existing model. Nothing more.

0

Thank you :). You helped me alot.

0

Sign in to participate in this thread!

Eventy

Your banner here too?

hieroshima hieroshima Joined 16 Dec 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 Laravel.io - All rights reserved.