Error making a Post

Asked

Viewed 141 times

1

I am trying to save the information that comes from my registration form with this function:

public function postCreate()
{

    $this->beforeFilter('csf', array('on' => 'post'));
    $validator = Validator::make($data = Input::all(), Despesa::$rules);
    if ($validator->fails())
    {
        return Redirect::back()->withErrors($validator)->withInput();
    }
    unset($data['_token']);
    //dd($data);
    Despesa::create($data);
    return Redirect::route('admin.despesas');
}

But when I send it gives me a mistake:

Illuminate \ Database \ Eloquent \ MassAssignmentException

id

C:\xampp\htdocs\teste\Projetos\l4\bootstrap\compiled.php
{
    $totallyGuarded = $this->totallyGuarded();
    foreach ($this->fillableFromArray($attributes) as $key => $value) {
        $key = $this->removeTableFromKey($key);
        if ($this->isFillable($key)) {
            $this->setAttribute($key, $value);
        } elseif ($totallyGuarded) {
            throw new MassAssignmentException($key);
        }
}
laravel-4 laravel-eloquent

2 answers

3


When passing data directly to the Eloquent::create you’re making a Mass Assignment, it is considered unsafe by the fact that the user can enter data as he wants in his table.

To prevent Laravel from detecting this as a security breach you must specify which fields may or may not be directly modified, to do so add a property $fillable or $guarded.

To $fillable represents the fields that can be directly modified and the $guarded has opposite effect, example:

<?php
class Model extends Eloquent {
    $fillable = array('nome','senha');
    $guarded  = array('id','codigo');
}

When I use Eloquent::create in my model above it will lock any value in the fields id and codigo and will allow direct modification only of the fields nome and senha.

  • had just added nothing in $fillable

1

In reference on the site itself Laravel, the link mass-assignment explains why such a mistake happens

When Creating a new model, you pass an array of Attributes to the model constructor. These Attributes are then Assigned to the model via mass-assignment. This is convenient; However, can be a Serious security Concern when blindly Passing user input into a model. If user input is blindly passed into a model, the user is free to Modify any and all of the model’s Attributes. For this Reason, all Eloquent models Protect Against mass-assignment by default.

Translation Website Google

When creating a new template, you pass an array of attributes to the model constructor. These attributes are then assigned to the model via mass-assignment. This is convenient; however, it can be a serious security problem when blindly passing user input on a model. If the user input is passed blindly in a model, the user is free to modify any and all model attributes. For this reason, all eloquent models protect against mass-assignment by default.

To define this type of configuration follow basic example:

class Carro extends Eloquent {
    protected $fillable = array('cor', 'modelo');
}

Reference:

Browser other questions tagged laravel-4 laravel-eloquent

You are not signed in. Login or sign up in order to post.