Fillable vs Guarded in Eloquent: Key Differences and Usage
fillable defines which attributes can be mass assigned, while guarded specifies which attributes cannot be mass assigned. Use fillable to whitelist fields and guarded to blacklist fields during mass assignment.Quick Comparison
This table summarizes the main differences between fillable and guarded properties in Laravel Eloquent models.
| Aspect | fillable | guarded |
|---|---|---|
| Purpose | Specifies allowed attributes for mass assignment | Specifies attributes that are not allowed for mass assignment |
| Default Value | Empty array (no attributes allowed by default) | Empty array (all attributes allowed by default) |
| Usage Style | Whitelist approach | Blacklist approach |
| Typical Use Case | Allow only specific fields to be mass assigned | Block sensitive fields from mass assignment |
| Conflict Behavior | Overrides guarded if both are set | Ignored if fillable is set |
| Security | More secure by explicitly allowing fields | Less secure if not carefully managed |
Key Differences
The fillable property in an Eloquent model is an array listing the attributes that you want to allow for mass assignment. This means when you create or update a model using methods like create() or update(), only the attributes in fillable will be set. It acts as a whitelist, making it safer by explicitly specifying which fields can be changed in bulk.
On the other hand, guarded is an array of attributes that you want to protect from mass assignment. It acts as a blacklist, blocking those fields from being set through mass assignment. If guarded is empty, it means all attributes are mass assignable, which can be risky if sensitive fields are not protected.
Both properties cannot be used effectively at the same time because Laravel prioritizes fillable over guarded. Choosing between them depends on whether you prefer to specify allowed fields (fillable) or blocked fields (guarded).
Code Comparison
Here is how you use fillable to allow only specific fields for mass assignment in a Laravel model.
class User extends Model { protected $fillable = ['name', 'email', 'password']; } // Usage User::create([ 'name' => 'Alice', 'email' => 'alice@example.com', 'password' => 'secret', 'is_admin' => true // This will be ignored ]);
Guarded Equivalent
Here is how you use guarded to block specific fields from mass assignment in a Laravel model.
class User extends Model { protected $guarded = ['is_admin']; } // Usage User::create([ 'name' => 'Bob', 'email' => 'bob@example.com', 'password' => 'secret', 'is_admin' => true // This will be ignored ]);
When to Use Which
Choose fillable when you want to explicitly allow only certain fields to be mass assigned, which is safer for most applications especially when handling user input.
Choose guarded when you want to block only a few sensitive fields and allow all others, which can be convenient but requires careful management to avoid security risks.
In general, fillable is recommended for better security and clarity.
Key Takeaways
fillable to whitelist attributes allowed for mass assignment.guarded to blacklist attributes you want to protect from mass assignment.fillable is safer and preferred for most cases.fillable and guarded at the same time to avoid conflicts.