Error while posting

1

I'm trying to save the information that comes from my registration form with this function:

public function postCreate()
{

    $this->beforeFilter('csf', array('on' => 'post'));
    $validator = Validator::make($data = Input::all(), Despesa::$rules);
    if ($validator->fails())
    {
        return Redirect::back()->withErrors($validator)->withInput();
    }
    unset($data['_token']);
    //dd($data);
    Despesa::create($data);
    return Redirect::route('admin.despesas');
}

But when I send it, it gives me an error:

Illuminate \ Database \ Eloquent \ MassAssignmentException

id

C:\xampp\htdocs\teste\Projetos\l4\bootstrap\compiled.php
{
    $totallyGuarded = $this->totallyGuarded();
    foreach ($this->fillableFromArray($attributes) as $key => $value) {
        $key = $this->removeTableFromKey($key);
        if ($this->isFillable($key)) {
            $this->setAttribute($key, $value);
        } elseif ($totallyGuarded) {
            throw new MassAssignmentException($key);
        }
}
    
asked by anonymous 01.05.2014 / 17:14

2 answers

3

When you pass data directly to Eloquent::create you are doing a Mass Assignment , it is considered unsure of the fact that the user can enter data as he wants in his table.

To prevent Laravel from detecting this as a security breach you must specify which fields can be modified or not directly by adding a $fillable or $guarded property.

The $fillable represents the fields that can be modified directly and the $guarded has the opposite effect, eg:

<?php
class Model extends Eloquent {
    $fillable = array('nome','senha');
    $guarded  = array('id','codigo');
}
When I use Eloquent::create in my model above it will block any value in the id and codigo fields and will allow direct modification of only the nome and senha fields.

    
01.05.2014 / 17:53
1

Referring to the site itself Laravel , the link mass-assignment explains why such an error happens

  

When creating a new model, you pass an array of attributes to the model constructor. These attributes are then assigned to the model via mass-assignment. This is convenient; However, it can be a serious security concern when blindly passing user input into a model. If user input is blindly passed into a model, the user is free to modify any and all of the model's attributes. For this reason, all Eloquent models protect against mass-assignment by default.

Translation Site

  

When you create a new template, you pass an array of attributes to the template constructor. These attributes are then assigned to the model via mass-assignment. This is convenient; however, it can be a serious security problem when blindly passing user input into a template. If the user input is passed blindly into a template, the user is free to modify any and all attributes of the template. For this reason, all eloquent models protect against mass-assignment by default.

To set this type of configuration, follow the basic example:

class Carro extends Eloquent {
    protected $fillable = array('cor', 'modelo');
} 

Reference:

01.05.2014 / 17:49