Is it possible that a fillable field in Laravel can be hacked?

Question

class Student extends Model {
    protected $fillable = [‘first_name’, ‘last_name’, ‘email’];
}

Source: https://medium.com/@kshitij206/laravel-mass-assignment-guarded-or-fillable-7c3a64b49ca6

Everywhere on the Internet, they say to use fillable or guarded for security in Laravel.

But if a field is fillable, then, can this field be hacked?

Answer 1

All Eloquent models are protected against mass-assignment by default, so to use mass assignment, you should specify a fillable or guarded attribute on the model to use the create method to save a new model in a single line.

So the code below, should cause an error

$flight = App\Flight::create(['name' => 'Flight 10', 'number' => 3]);

when you have

protected $fillable = ['name'];

Because you cannot mass assign the number property here.

Read more here: https://laravel.com/docs/7.x/eloquent#mass-assignment