Is the update->request(all) with token a recent thing?

The CSRF token has always been included in the request.

However, you shouldn't need to explicitly exclude the token in your update call. Unless there is a mass assignable column named _token in your model, the token is simply ignored.

Hi @cometads

I don't have a column named token but if I don't add that except token I get this when I submit.

"SQLSTATE[42S22]: Column not found: 1054 Unknown column '_token' in 'field list' (SQL: update `expects` set `_token` = alOa7Ayb8tAsY8tOqkE0Man9gStGBowcVK4lP0qo,  

My model has this for mass assignment

protected $fillable = [
        'wheelchairReady','contactAdvisories','mobilityAdvisories','contentAdvisories','event_id'

    ];

and my database has this

 Schema::create('expects', function (Blueprint $table) {
            $table->bigIncrements('id');
            $table->unsignedBigInteger('event_id');
            $table->string('wheelchairReady')->nullable();
            $table->longtext('contactAdvisories')->nullable();
            $table->longtext('mobilityAdvisories')->nullable();
            $table->longtext('contentAdvisories')->nullable();
            $table->timestamps();
        });

@chrisgrim Can you show on what are you calling the update method? If it is on the model itself, like this:

Expect::update($request->all());

Then you will get the error because this tries to match a record based on the fields, instead of one field. But if you call it on an instance like this:

Expect::find(1)->update($request->all());

All should be good. And also please share the laravel version that you use just in case there was a change in a version so we can check.

Hi @nakov I am calling it with

$event->expectation()->update($request->except(['_token']));

and in my composer I have

"laravel/framework": "5.8.*",

Though I am not sure how to see the exact version of laravel.

@chrisgrim at the end it does not hurts to call it using except on the _token.

Is the expectation a one to one relationship with your event or can it be more than one? What I doubt is that this $event->expectation() returns an empty relationship if it is not already set.

So try this instead:

$event->expectation->update($request->except(['_token']));

Make sure that the expectation cannot be null, otherwise it will throw an exception. I am just trying to clear things out for you on what goes wrong, because having the _token in the request should not throw the exception that you have in normal circumstances. In your case you are calling update on the Query Builder, not using Eloquent, which avoids the $fillable field, hence the error.

Side note php artisan --version prints out the current version that you have running.

I recently have had to change ...

So it happened out of nowhere? It must be happening for some reason. Did you upgrade some packages? Updated some code? Maybe overwritten one of the model classes? getFillable(), isFillable()?

You should be able to figure this out quite easily when you set breakpoints in the update() method itself with xDebug and follow the code step for step.

edit I think @nakov is right, you are doing an update directly via a query that is probably bypassing the fillable property. See also this ticket on github: https://github.com/laravel/framework/issues/16447

Hi Nakov

Ok I tried it with $event->expectation and it worked. What I don't understand is what you mean by calling an update on the Query Builder and not using Eloquent. I don't really understand the difference between expectation and expectation().

@chrisgrim docs https://laravel.com/docs/5.8/eloquent-relationships

The difference is that calling your relationship as a method like: expectation gives you the Model or in the case you defined a hasMany() relationship a collection of Models.

When you call it as an attribute like: expectation() it gives you a query builder which you can use to do some extra filtering, sorting, and than call ->get() (and you can do even more with it like adding new relationships, syncing Id's, for hasManyToMany, etc.)

I can explain it in detail here here but I see someone already did it on SO for you: https://stackoverflow.com/questions/28223289/difference-between-method-calls-model-relation-and-model-relation

@chrisgrim you can debug it, this dd($event->expectation()); will return Illuminate\Database\Eloquent\Relations\HasOne while dd($event->expectation); returns an instance of App\Expectation which is an instance of Eloquent model, which is an ORM a layer above the Query Builder which prevents the mass assignment = $fillable fields, and filters out what is not needed. While the Query Builder directly translates the call into SQL and tries to execute the query.

@click I just saw your reply, I am testing it on my project, and it is vice versa, expectation returns an instance of the model, which is then Eloquent, while the expectation() returns a relationship, which is the Query Builder. Anyhow the StackOverflow link is a good answer for the question.

@nakov ofcourse... updated my answer ;-) thanks

Hi Guys Thank you so much for all your answers. That stackoverflow answer is really helping me understand so thank you so much @click. You guys are why I love this site!

Hi @nakov and @click One last question. So I am starting to understand the returning of the relationship object vs just the result of the relationship. One thing I am having trouble understanding. If I update just the result of the relationship using $event-expectation->update am I losing the mass assignment check for the rest of my fields? I want to make sure my submissions are protected and someone can't submit a user id or event id with the form.

Thanks Chris