Explain fillable vs guarded.
In Laravel Eloquent models, when you perform mass assignment (for example using Model::create($request->all()) or update($data)), Laravel needs to know which attributes are safe to be written into the database.
Thatβs where $fillable and $guarded come in.
πΉ $fillable
- It is a whitelist of attributes that you allow for mass assignment.
- Only the fields listed inside
$fillablecan be filled usingcreate()orupdate().
β Example:
class User extends Model
{
protected $fillable = ['name', 'email', 'password'];
}
Now:
User::create([
'name' => 'Himanshu',
'email' => 'himanshu@example.com',
'password' => bcrypt('secret'),
'is_admin' => true // β ignored (not in fillable)
]);
Here, is_admin wonβt be saved because it is not in $fillable.
πΉ $guarded
- It is the opposite of
$fillable. - It is a blacklist of attributes that you want to protect from mass assignment.
- All other attributes (except those listed in
$guarded) are mass assignable.
β Example:
class User extends Model
{
protected $guarded = ['is_admin'];
}
Now:
User::create([
'name' => 'Himanshu',
'email' => 'himanshu@example.com',
'password' => bcrypt('secret'),
'is_admin' => true // β ignored (guarded)
]);
Here, is_admin wonβt be saved because it is guarded.
πΉ Key Difference
$fillableβ Only listed fields are mass assignable (strict control).$guardedβ All fields are mass assignable except those listed (loose control).
π You typically use one or the other, not both.
πΉ Special Case
If you want to allow all attributes:
protected $guarded = [];
If you want to block all attributes (not recommended):
protected $fillable = [];
β‘ Rule of Thumb:
- Use
$fillablewhen you want to specify exactly which fields are safe (more secure, common practice). - Use
$guardedwhen most fields are safe, and you just want to block a few sensitive ones.
No comments yet! You be the first to comment.