Why you should never use $request->all() in Laravel

Adewale Ogundiran Charles
2 min readOct 25, 2020

I know a lot of Laravel developer makes use of $request->all()when making a POST request in Laravel.

So I did this website for a client and it has been live for some time, then suddenly the website became popular and hackers came to attack it, for weeks I kept fighting all forms of attack, what baffled me most is that the hacker keeps giving himself an admin account! yes, you read that right, he keeps granting himself an admin account.

I didn't know how he kept doing this, not until I went to the basics and started reading on all function by Laravel, then I read about $request->all(). NOw here is why you should never use request all especially when it comes to user registration part.

Now imagine a User Model with this fillable protected $fillable = [‘username’,’first_name’, ‘last_name’, ‘password’, ‘email’, ‘team_id’, ‘country’, ‘status’, ‘IsAdmin’,’avatar’];

and probably in your controller, you have something like

public function register(Request $request)


$rules = [

‘username’ => [‘required’, ‘string’, ‘max:255’,’unique:users’],

‘first_name’ => [‘required’, ‘string’, ‘max:255’,],

‘last_name’ => [‘required’, ‘string’, ‘max:255’,],

‘email’ => [‘required’, ‘string’, ‘max:500’, ‘unique:users’],

‘password’ => [‘required’, ‘string’, ‘min:8’, ‘confirmed’],

‘country’ => [‘required’, ‘integer’],


$credentials = $request->all();

$validator = Validator::make($credentials, $rules);

if ($validator->fails()) {

return response()->json([‘errors’ => $validator->errors()], 422);


$data = $request->all(); // dont ever do this..NEVER!!!!

try {


$user = User::create($data);

$token = JWTAuth::fromUser($user);

// Mail::to($user)->send(new NewUserEmail($user));


return response()->json(array_merge([‘token’ => $token, ‘message’ => ‘Account created successfully’]), 201);

} catch (\Exception $e) {


return response()->json([‘code’ => 422,’message’ => ‘Sorry an Error occured’], 422);



Now the issue here is that the hacker can just inspect elements in your browser and add another input field of IsAdmin and send it, of course, it will be accepted because you are accepting all requests.

Rather than accepting all, here is a better way to prevent hack of this kind on your website.

$data = $reques->only([‘username’,’first_name’,’last_name’,’email’,’password’,’country’]);

You can prevent it by using $request->only() than in an array declare the inputs you want your backend to accept.

you can alternatively also use the PHP inbuilt function in_array(), you will just place the data you don't want to be in your request, and when found you can tell it to throw an error!.

I hope this helps you if you have any questions you can ask in the comment section below.



Adewale Ogundiran Charles

Full Stack Developer | Laravel(PHP) | Vue Js Developer | Frontend Developer | Backend Developer | WordPress Developer