Support the ongoing development of Laravel.io →
captbrogers
posted 10 years ago
Database Eloquent
Last updated 2 years ago.
0
sjamaan
replied 10 years ago
Solution

Hello Captbrogers,

You want to be using fillable exclusively. If you're using $guarded in a slightly outdated Laravel, you're in danger of SQL injection. The release notes of Laravel 4.1.29 dismiss this as merely a "risk of mass assignment", but it's quite a bit more dangerous than that.

More generally speaking, security-wise whitelists are always a better idea than blacklists, because blacklists are by their nature never entirely complete.

Last updated 2 years ago.
0
thewinterwind
replied 10 years ago

sjamaan is accurate in his last paragraph.

However, not all Eloquent models are saving user input, some models could be writing data that was generated by the application and have no origin from a user. If you have a lot of fields in your table, you can write a lot less code using $guarded

Last updated 2 years ago.
0
captbrogers
replied 10 years ago

I assumed as such, good to know I was right. Thanks.

Last updated 2 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

captbrogers captbrogers Joined 27 Mar 2014

Moderators

We'd like to thank these amazing companies for supporting us

Eventy
Fathom
Forge
Envoyer
Beyond Code
Skynet Technologies
BairesDev
Remotely Works
Zunction
Dotcom-monitor

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X Twitter GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2024 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise