Laravel's request safe() method is a must-know

Dec 28, 2025

•

Security , Laravel , Mass-Assignment

• 1 min read

Lately, there’s been a trend of using model $guarded = [] with $request->validated() as a way of solving mass-assigment.

This can make you fall into the trap of thinking other request methods work just like validated(), i.e except:

User::create([
    'name' => implode(' ', $request->first_name, $request->last_name),
    ...$request->except(['last_name', 'first_name']);
]);

However, this is absolutely not the case and leaves you vulnerable to mass-assigment. For example, the code above allows someone to pass the score field.

What we should use in such scenario is $request->safe()->except().

P.S I’m glad the docs mentions safe next to the validated, so long as you read it 😅 Something to keep in mind.