Bypassing $fillable Safely with forceFill() in Laravel

July 2, 2025

Bypassing $fillable Safely with forceFill() in Laravel

Ever used create() in Laravel and noticed some fields like role or status didn’t save? That’s because Laravel’s mass assignment protection silently ignores non-whitelisted attributes.

🔐 What Is Mass Assignment?

Mass assignment lets you set multiple model attributes in one go, e.g.:

User::create([
  'name' => 'John',
  'email' => '[email protected]',
  'role' => 'admin', // This won’t get saved if not fillable
]);

🛡️ Two Ways to Control Fillable Fields

1. $fillable (Whitelist)

protected $fillable = ['name', 'email'];

Only listed fields are allowed for mass assignment.

2. $guarded (Blacklist)

protected $guarded = ['role'];

Everything is fillable except the blacklisted attributes.

⚡ Enter forceFill()

When you trust your data source (e.g., from an internal service, seeder, or job), you can bypass fillable/guarded protection using:

$user = new User;

$user->forceFill([
  'name' => 'John',
  'email' => '[email protected]',
  'role' => 'admin',  // Will be assigned regardless of $fillable
])->save();

No need to adjust your $fillable or $guarded, and it's safe when used properly.

✔️ When to Use Each

  • $fillable: For trusted user input (forms, APIs).
  • $guarded: When many fields are fillable except a few.
  • forceFill(): For backend logic with trusted data.

Using create() without understanding mass assignment may result in “missing fields” — use the right tool for the job. Laravel is powerful when used with understanding.

Blog

Analyze Laravel Projects with Introspect

Jul 01, 2025

Analyze Laravel Codebases with Laravel Introspect If you’re doing a complex refactor or building dev tools, Laravel Introspect helps you quer...

Explore the Most Powerful Modern Laravel Tools: Inertia.js, View Creators, and HLS — Step by Step

Jul 27, 2025

Here’s a complete breakdown of essential tools to level up your Laravel development: Inertia.js v2, View Creators, and the Laravel HLS package...

Load JavaScript on Demand to Boost Site Performance

Jul 24, 2025

🧠 What is Dynamic Import? Dynamic import allows you to load JavaScript modules at runtime—only when needed. This approach is fantastic for r...

React History – A Professional Developer’s Perspective

Jul 26, 2025

1. Origins: Born Inside Facebook In 2011, Facebook engineers faced the increasing complexity of building interactive UIs at scale. They developed...

React Labs: View Transitions & Activity

Jun 17, 2025

React Labs: View Transitions & Activity Published April 23, 2025 by Ricky Hanlon. React Labs is sharing two new experimental featu...

Guide to Scroll‑Driven Animations with CSS

Jun 26, 2025

Guide to Scroll‑Driven Animations with CSS CSS animations can now be linked to user scrolling without any JavaScript — just pure CSS. 1. Thr...