Mass Assignment and $fillable: Protect Your Models

Mass assignment lets you pass arrays directly into create() or update().

If not controlled, users could modify sensitive fields.

## Risky example

```php
Post::create($request->all());
```

## Safe pattern

Model:

```php
protected $fillable = ['title', 'body'];
```

Controller:

```php
$data = $request->validate([
  'title' => 'required',
  'body' => 'required',
]);

Post::create($data);
```

## Safe flow

```mermaid
flowchart TD
  A[Request] --> B[Validation]
  B --> C[Allowed Fields]
  C --> D[Model $fillable]
  D --> E[(DB)]
```

This protects your application from hidden field injection.

In the next tutorial, we will display large data sets using pagination.