In Laravel, both $fillable and $guarded are special type of attributes used in Eloquent models to control the Mass assignment of attributes.
What is Mass assignment?
Mass assignment is a way to set multiple fields at once by passing an array of data, instead of assigning each field one by one.
Example: With Mass Assignment
$userWithMassAssignment = User::create([
'name' => 'Test User',
'age' => 'test@example.com',
'password' => bcrypt("password123")
]);
Example: Without Mass Assignment
$userWithOutMassAssignment = new User();
$userWithOutMassAssignment->name = "Test User";
$userWithOutMassAssignment->email = "test@example.com";
$userWithOutMassAssignment->password = bcrypt("password123");
$userWithOutMassAssignment->save();
What is Fillable?
The Fillable lets you specify which attributes can be used when creating or updating records in the database. You do this by adding an array of attributes to the $fillable variable in your model. Any attributes not listed in $fillable will be ignored during mass assignment.
class User extends Model
{
/**
* The attributes that are mass assignable.
*
* @var array
*/
protected $fillable = [
'name',
'email',
'password',
];
}
In the example above, the fields ‘name,’ ‘email,’ and ‘password’ can be mass-assigned. Any other attributes that are not defined in the `$fillable` array will be ignored during create and update operations.
Tip: If you want to allow all fields for mass assignment, you can do it with just one line, as shown below:
class User extends Model
{
/**
* The attributes that are mass assignable.
*
* @var array
*/
protected $fillable = ['*'];
}
Note: This can create security issues. Please be very careful when using it. Allowing all attributes to be mass-assignable is not a good practice.
What is Guarded?
Guarded is the opposite of Fillable. It lets you specify which attributes cannot be mass-assigned. You do this by adding an array of attributes to the `$guarded` variable in your model. Any attributes not listed in `$guarded` will be allowed for mass assignment.
class User extends Model
{
/**
* The attributes that are protected from mass assignment.
*
* @var array
*/
protected $guarded = [
'name',
'email',
'password',
];
}
In the example above, the attributes ‘name,’ ‘email,’ and ‘password’ are not allowed for mass assignment. Any other fields not listed in the `$guarded` array will be available for mass assignment.
Tip: If you want to block all attributes for mass assignment, you can do it with just one line, as shown below:
class User extends Model
{
/**
* The attributes that are protected from mass assignment.
*
* @var array
*/
protected $guarded = ['*'];
}
When should you use fillable or guarded?
It is very important to make the right decision about which attribute to use because you cannot use both at the same time—you must choose one.
For example, if your user model has 50 to 60 attributes and you only need to protect 3 fields from mass assignment, it is better to use the $guarded attribute instead of listing every attribute in the fillable attribute.
Conclusion
In simple terms, $fillable is like a “white list” that specifies which attributes can be mass-assigned, while $guarded is like a “black list” that lists the attributes that should not be mass-assigned.
