Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello,
I would like to know if I'm allowed (tech talk) to hack the Model class like this :
protected $guarded = ['*'];
to
protected $guarded = ['*','id'];
Class : abstract class Model implements ArrayAccess, Arrayable, Jsonable, JsonSerializable, QueueableEntity, UrlRoutable (And by the way, why it doesn't extend eloquent like said here http://stackoverflow.com/questions/31917075/explicitly-define-guarded-id-to-prevent-accidental-insert ?)
That would defeat the point. It is preferred to set fillable instead of guarded. That way if a form data needs inserted in to more then one model you can easily to that just by passing in all the data in a create or update method and any data not set in the fillable will be disregarded with no error.
Yes im using the fillable but each table has an id that is guarded and im asking this to say that if we can hack that page and this to not repeat the id as guarded in every model. And why it doesnt extend eloquent
The id is not mass assignable by default. Yes, you can override that, but that would mean explicitly writing so in your code. I don't see why you would ever do that in your code so what are you worried about? If someone were to somehow hack your site, someone just fooling around and changing ids is the least of your worries. You have other much more glaring problems.
I'm not sure I understand that final part about extending Eloquent. In Laravel, the model is an Eloquent model unless you say so otherwise.
Im doing this to not put guarded id in every model
@thomaskim let me make it a little clearer, a table having name id and email columns, we will make email and name as fillable in the user model. The id, as we have same column in every table, would better be written in model class as guarded rather than writing it every time in every model.
For the extend, in the stackexchange link mentionned above it does say class model extend eloquent. In my model class there is no mention it extends that while we use same version (5.1)
You should still have fillable in every model, specific to that model. You will not mention ID in the fillable array therefore it will be automatically guarded. You don't need to set guarded to achieve this.
Let me make it a little clearer.
Everything not fillable is guarded !
For the extend, in the stackexchange link mentionned above it does say class model extend eloquent. In my model class there is no mention it extends that while we use same version (5.1)
He aliased Model as Eloquent. If you look at the code, he put:
use Illuminate\Database\Eloquent\Model as Eloquent;
Also, as Snapey so "eloquently" put it, everything not fillable is guarded by default. That's why you should set a fillable property, not a guarded property. The answer actually doesn't make sense because he is officially making only id guarded when everything is guarded by default.
Please or to participate in this conversation.