Does Laravel $fillable protect when using ->update()?

Question

In my update action of my controller, I am doing:

    $fields = $request->all();

    $snippet = Snippet::findOrFail($id);
    $snippet->update($fields);

My Snippet Eloquent has fillable like this:

protected $fillable = [
        'title',
        'snippet'
    ];

Am I secure if anyone post something else than title and snippet in $request->all(); ?

Answer 1

After testing, I answer myself:

Laravel protect ->update(): that is you can't update a field if it is not present in $fillable

Answer 2

Try setting $guarded with variables that will be protected against mass assignment, if $fillable is not specified, and the key is not listed in the $guarded property, the framework will assume that the key can be safely mass-assigned.