Bypassing $fillable Safely with forceFill() in Laravel

July 2, 2025

Bypassing $fillable Safely with forceFill() in Laravel

Ever used create() in Laravel and noticed some fields like role or status didn’t save? That’s because Laravel’s mass assignment protection silently ignores non-whitelisted attributes.

🔐 What Is Mass Assignment?

Mass assignment lets you set multiple model attributes in one go, e.g.:

User::create([
  'name' => 'John',
  'email' => '[email protected]',
  'role' => 'admin', // This won’t get saved if not fillable
]);

🛡️ Two Ways to Control Fillable Fields

1. $fillable (Whitelist)

protected $fillable = ['name', 'email'];

Only listed fields are allowed for mass assignment.

2. $guarded (Blacklist)

protected $guarded = ['role'];

Everything is fillable except the blacklisted attributes.

⚡ Enter forceFill()

When you trust your data source (e.g., from an internal service, seeder, or job), you can bypass fillable/guarded protection using:

$user = new User;

$user->forceFill([
  'name' => 'John',
  'email' => '[email protected]',
  'role' => 'admin',  // Will be assigned regardless of $fillable
])->save();

No need to adjust your $fillable or $guarded, and it's safe when used properly.

✔️ When to Use Each

  • $fillable: For trusted user input (forms, APIs).
  • $guarded: When many fields are fillable except a few.
  • forceFill(): For backend logic with trusted data.

Using create() without understanding mass assignment may result in “missing fields” — use the right tool for the job. Laravel is powerful when used with understanding.

Blog

Top Laravel & PHP Updates for Cleaner, Faster Code

Aug 17, 2025

Laravel Global Scopes: Automatic Query Filtering Eloquent Importance: Enforce consistent filters across all model queries (e.g., Soft Del...

Laravel 12.16.0 - New Features for Developers

Jun 03, 2025

Laravel 12.16.0 - New Features for Developers 1. New Validation Rule: in_array_keys You can now validate that an array contains at least one of the...

Laravel 12.19: Elegant Query Builders with PHP Attributes

Jul 07, 2025

Laravel 12.19: Elegant Query Builders with PHP Attributes In Laravel 12.19, you can now use the #[UseEloquentBuilder] PHP attribute to assign a cus...

Is Laravel Slow? Optimize Queries & Indexes for Maximum Performance

Jul 20, 2025

A detailed, example-rich guide to avoid slowdowns in Laravel apps by optimizing data retrieval and employing indexing smartly. 1. 🧠 Fetch Only...

Task Reminder with Laravel & MongoDB

Jun 30, 2025

📌 Building a Task Reminder App This guide shows how to set up a Laravel app using MongoDB to implement a task reminder system with authentication,...

Guide to Scroll‑Driven Animations with CSS

Jun 26, 2025

Guide to Scroll‑Driven Animations with CSS CSS animations can now be linked to user scrolling without any JavaScript — just pure CSS. 1. Thr...