Tự học Laravel: (11) ELOQUENT MASS ASSIGNMENT

Let’s add data to the table by using the mass assignment function of Eroguent. 


You can add data to a table with one statement by passing values ​​in an array to the create() method below.

App\Article::create(['title' => 'Tiêu đề', 'body' => 'Nội dung', 'published_at' => Carbon\Carbon::now()]);

Well, let’s try it with tinker.

php artisan tinker

>>> App\Article::create(['title' => 'Tiêu đề', 'body' => 'Nội dung', 'published_at' => Carbon\Carbon::now()]);

Illuminate\Database\Eloquent\MassAssignmentException with message 'title'

Apparently, an exception error named MassAssignmentException occurred.

In fact, in Eloquent’s mass assignment, it is necessary to declare items that can be registered in advance. Declare the model’s fillable variables as an array as shown below.

<?php //app/Article.php
namespace App;
 
use Illuminate\Database\Eloquent\Model;
 
class Article extends Model {
 
    protected $fillable = ['title', 'body', 'published_at'];
 
}

Let’s try again with tinker. 
Please restart tinker.

php artisan tinker

>>>  App\Article::create(['title' => 'Tiêu đề', 'body' => 'Nội dung', 'published_at' => Carbon\Carbon::now()]);
=>  {
       title: "Tiêu đề",
       body: "Nội dung",
       published_at:  {
           date: "2015-06-18 08:14:06.000000",
           timezone_type: 3,
           timezone: "UTC"
       },
       updated_at: "2015-06-18 08:14:06",
       created_at: "2015-06-18 08:14:06",
       id: 2
   }
>>> App\Article::all()->toArray();
=> [
       [
           "id"           => "1",
           "title"        => "Tiêu đề 1",
           "body"         => "Nội dung 1",
           "created_at"   => "2015-02-22 21:08:16",
           "updated_at"   => "2015-02-22 21:08:16",
           "published_at" => "2015-02-22 20:47:07"
       ],
       [
           "id"           => "2",
           "title"        => "Tiêu đề",
           "body"         => "Nội dung",
           "created_at"   => "2015-02-23 16:32:31",
           "updated_at"   => "2015-02-23 16:32:31",
           "published_at" => "2015-02-23 16:32:31"
       ]
   ]

I went well this time!

MASS ASSIGNMENT SECURITY MEASURES

So why do mass assignments need to be guarded using fillables like this?

Mass assignments are used in the process of storing user requests in a table. If the request contains an unexpected item, it will be a serious security hole if it is updated as it is.

For example, User class has 3 columns of name, age and admin, and admin has admin privileges which are not updated from the user screen. If the following code is written in User’s new registration process …

$article = AppUser::create($request->all());

If $ request contains admin due to an invalid request etc., admin privileges will be set to any value.

Therefore, in mass assignment, permission is given only to the item declared as fillable, and the other is guarded.

https://laravel.com/docs/master/eloquent#mass-assignment

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.