Laravel FormRequest safe() method is a must-know

Dec 28, 2025

•

Security , Laravel , Mass-Assignment

• 1 min read

$request->except() operates on the entire request, not just validated fields. This leaves you open to mass-assignment:

User::create([
    'name' => implode(' ', [$request->first_name, $request->last_name]),
    ...$request->except(['first_name', 'last_name']),
]);

Anyone can slip a score or is_admin field through. Use safe() instead:

User::create([
    'name' => implode(' ', [$request->first_name, $request->last_name]),
    ...$request->safe()->except(['first_name', 'last_name']),
]);

safe()->except() excludes from the validated set and not the raw request.