$guarded and $fillable

They both are to tell what is allowed to be mass assignable, and what isn't, but in opposite ways.

$fillable = properties that can be mass assignable. Anything not in the array cannot be mass assigned. $guarded = properties that cannot be mass assignable, allowing all others through.

The manual says to use one or the other, but not both.

So if your db table had the following fields: name, age and location

And you only wanted name and age to be mass assignable, you could use

$fillable = ['name', 'age']; // name and age can be mass assignable, but location can't be

// or

$guarded = ['location']; //location can't be mass assignable, but name and age can

While $fillable serves as a "white list" of attributes that should be mass assignable, you may also choose to use $guarded. The $guarded property should contain an array of attributes that you do not want to be mass assignable. All other attributes not in the array will be mass assignable. So, $guarded functions like a "black list". Of course, you should use either $fillable or $guarded - not both.

https://laravel.com/docs/5.5/eloquent#mass-assignment

Even if a property is guarded, you can pass it through a form, you just can't mass assign it to the model.

If you have a user_id field, you'd do something like

$user = User::find($request->user_id);

$user->fill([
    'name' => $request->name,
    'surname' => $request->surname,
    'email' => $request->email
]);

$user->save();

But I'd personally use route model binding, where you make the request to a route defined like /users/{user} and then have a controller method like so:

public function update(Request $request, User $user)
{
    // Do whatever you need to update $user
}

Of course I should point out that if you are doing this for the currently authenticated user, there's no reason to pass an ID at all, just use Auth::user().

Thank you for the explanation.

now i have understood diff between guard and fill