Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Loomix's avatar

Add [_token] to fillable property to allow mass assignment

I keep getting this error from Laravel 9.5 after sending my edit form for a model. The post request shows

[2023-03-13 00:17:50] local.INFO: array (
  '_token' => '0Rxf7NWGl4t60w5iRpNFBNUfoy8Tdwr7W7uKKSJq',
  '_method' => 'put',
  'name' => 'Caladrius Blaze',
  'altname' => 'Karadoriusu',
  'system' => '2',
)

and I used guarded for the attributes in my model like

class Game extends Model
{
  use HasFactory;
  protected $guarded = ['id'];

When I exchange it for fillable with the attributes allowed, the error changes in Add [_method, _token] to fillable property to allow mass assignment. My Game controller shows

    public function update(Request $request, $id)
    {
      Log::info($request); 
      $game = Game::find($id);
      DB::beginTransaction();
      try{ 
        $game->update($request->all());
        DB::commit();
        return redirect()->route('');
      }
      catch(\Exception $e){
        DB::rollBack();
        throw $e;
      };      
    }

The DB commit is not done because of the error. I don't understand why Laravel needs any token defined as allowed attribute for mass assignment and why is it not allowed when guarding only id?

0 likes
10 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

The _token and _method fields are automatically added to all forms in Laravel as a security measure to prevent cross-site request forgery (CSRF) attacks. To allow mass assignment of these fields, you need to add them to the fillable property in your model.

To fix the error, update your Game model to include _token and _method in the fillable property:

class Game extends Model
{
  use HasFactory;
  protected $fillable = ['name', 'altname', 'system', '_token', '_method'];
}

This will allow Laravel to mass assign the _token and _method fields when updating the Game model.

Note that you should only add fields to the fillable property if you trust the source of the data. If you're accepting user input, you should validate the input first to ensure that it's safe to mass assign.

1 like
Loomix's avatar

Okay, now I'm getting SQLSTATE[42S22]: Column not found: 1054 Unknown column '_token' in 'field list' which means I am supposed to remove _method and _token from the request array before mass assignment?

Ninj4df's avatar

Hello.

You try to update each property that comes from the request, which is pretty bad practice.

You should validate your data and update only the validated keys with its values.

Also I don't think that you need a DB transaction for such a simple update query.

Loomix's avatar
  • Mass assignment is bad practise? How so?
  • What makes you think my code is finished yet? There is nothing wrong with testing requests and adding validation afterwards.
  • DB transactions are a safe way to do it. If you have a better approach, show the code including explanation.

...and feel free to figure out what this thread is actually about and suggest a solution to the actual issue. Thanks.

Ninj4df's avatar

Do you accept help?

$request->all() is bad practice

DB transactions should be used when you try to do more complex stuff like updating more than 1 table in the same chunk of code/ request and you need consistency for your data. If you think that's safe for what you want to do right now, happy over engineering then.

suggest a solution to the actual issue.:

Validate your data and pass the validated data to the update method.

Loomix's avatar

@Ninj4df

Do you accept help?

No, that's because I'm asking in a forum for help facepalm

$request->all() is bad practice

Interesting. So you're saying the official Laravel doc is full of bad practise? See e.g. https://laravel.com/docs/9.x/requests#input or https://laravel.com/docs/9.x/eloquent#mass-assignment Moreover, your reason for "bad practise" is still missing.

DB transactions should be used when you try to do more complex stuff

I actually do update more than 1 table but not in this minimal example for the forum question.

Validate your data and pass the validated data to the update method.

...and this will solve the issue of SQLSTATE[42S22]: Column not found: 1054 Unknown column '_token' in 'field list'? Or will this prevent Laravel to send _method and _token with the request?

Ninj4df's avatar

Anyway

protected $guarded = ['id']

It means that only id will not be able to get mass assigned.

if you go to mass assign a _token property, it will try to add it on the database normally.

and this will solve the issue of SQLSTATE[42S22]: Column not found: 1054 Unknown column '_token' in 'field list'

So, YES

khanalpride's avatar

You can just use

// $request->all();   // It will get all data from request
$request->except(['_token', '_method']);   // use this to exclude _token and _method
1 like
Ninj4df's avatar

@khanalpride ->only() would be a better option on this specific case, so the opposite.

using except or all, is always prone to security risks on this case, that's why I told that guy about "bad practices" but he didn't want to listen

what if a user intercepts the request and adds a created_at attribute? (think of adding something more important) boom, he just tricked your "best practice" request.

Loomix's avatar

@Ninj4df

"That guy" listens really carefully once there's some substance or reasoning in statements.

what if a user intercepts the request and adds a created_at attribute? (think of adding something more important) boom, he just tricked your "best practice" request.

I understand that $fillable and $guarded are to prevent such attempts. How would someone be able to add a created_at or other request that's not in the fillable list?

1 like

Please or to participate in this conversation.