Validation Flashcards
What is a form request and how can you create one?
Form requests are custom request classes that encapsulate their own validation and authorization logic. To create a form request class, you may use the make:request Artisan CLI command:
php artisan make:request StorePostRequest
The generated form request class will be placed in the app/Http/Requests directory. If this directory does not exist, it will be created when you run the make:request command. Each form request generated by Laravel has two methods: authorize and rules.
As you might have guessed, the authorize method is responsible for determining if the currently authenticated user can perform the action represented by the request, while the rules method returns the validation rules that should apply to the request’s data:
public function rules(): array
{
return [
'title' => 'required|unique:posts|max:255',
'body' => 'required',
];
}
How are validation rules evaluated?
All you need to do is type-hint the request on your controller method. The incoming form request is validated before the controller method is called, meaning you do not need to clutter your controller with any validation logic:
public function store(StorePostRequest $request): RedirectResponse
{
// The incoming request is valid...
// Retrieve the validated input data...
$validated = $request->validated();
// Retrieve a portion of the validated input data...
$validated = $request->safe()->only(['name'; 'email']);
$validated = $request->safe()->except(['name', 'email']);
// Store the blog post...
return redirect('/posts');
}
If validation fails, a redirect response will be generated to send the user back to their previous location. The errors will also be flashed to the session so they are available for display. If the request was an XHR request, an HTTP response with a 422 status code will be returned to the user including a JSON representation of the validation errors.
How can you perform additional validation after your initial validation is complete?
You can accomplish this using the form request’s after method.
The after method should return an array of callables or closures which will be invoked after validation is complete. The given callables will receive an Illuminate\Validation\Validator instance, allowing you to raise additional error messages if necessary.
How can you inform the validator that it should stop validating all attributes once a single validation failure has occured?
By adding a stopOnFirstFailure property to your request class:protected $stopOnFirstFailure = true;
By default, a redirect response will be generated to send the user back to their previous location when form request validation fails. How can you change that?
You are free to customize this behavior. To do so, define a $redirect property on your form request.protected $redirect = '/dashboard';
Or, if you would like to redirect users to a named route, you may define a $redirectRoute property instead:protected $redirectRoute = 'dashboard';
The form request class also contains an authorize method, what does it do?
Within this method, you may determine if the authenticated user actually has the authority to update a given resource. For example, you may determine if a user actually owns a blog comment they are attempting to update. Most likely, you will interact with your authorization gates and policies within this method:
public function authorize(): bool
{
$comment = Comment::find($this->route('comment'));
return $comment && $this->user()->can('update', $comment);
}
How can you customize the error messages used by the form request?
You may customize them by overriding the messages method. This method should return an array of attribute / rule pairs and their corresponding error messages:
public function messages(): array
{
return [
'title.required' => 'A title is required',
'body.required' => 'A message is required',
];
}
Many of Laravel’s build-in validation rule error messages contain an :attribute placeholder. How can you replace the :attribute placeholder of your validation message with a custom attribute name?
If you would like the :attribute placeholder of your validation message to be replaced with a custom attribute name, you may specify the custom names by overriding the attributes method. This method should return an array of attribute / name pairs:
public function attributes(): array
{
return [
'email' => 'email address',
];
}
How can you prepare or sanitize any data from the request before you apply your validation rules?
If you need to prepare or sanitize any data from the request before you apply your validation rules, you may use the prepareForValidation method:
protected function prepareForValidation(): void
{
$this->merge([
'slug' => Str::slug($this->slug),
]);
}
Likewise, if you need to normalize any request data after validation is complete, you may use the passedValidation method:
protected function passedValidation(): void
{
$this->replace(['name' => 'Taylor']);
}
How can you manually create validators instead of using the validate method?
If you do not want to use the validate method on the request, you may create a validator instance manually using the Validator facade. The make method on the facade generates a new validator instance. The first argument passed to make method is the data under validation. The second argument is an array of the validation rules that should be applied to the data. After determining whether the request validation failed, you may use the withErrors method to flash the error messages to the session. When using this method, the $errors variable will automatically be shared with your views after redirection, allowing you to easily display them back to the user. The withErrors method accepts a validator, a MessageBag, or a PHP array.
How can you create a validator instance manually but still take advantage of the automatic redirection offered by the HTTP request’s validate method?
You may call the validate method on an existing validator instance. If validation fails, the user will automatically be redirected or, in the case of an XHR request, a JSON response will be returned:
Validator::make($request->all(), [
'title' => 'required|unique:posts|max:255',
'body' => 'required',
])->validate();
You may use the validateWithBag method to store the error messages in a named error bag if validation fails:
Validator::make($request->all(), [
'title' => 'required|unique:posts|max:255',
'body' => 'required',
])->validateWithBag('post');
If you have multiple forms on a single page, you may wish to name the MessageBag containing the validation errors, allowing you to retrieve the error messages for a specific form. How can you achieve this?
To achieve this, pass a name as the second argument to withErrors:return redirect('/register')->withErrors($validator, 'login');
You may then access the named MessageBag instance from the $errors variable:{{ $errors->login->first('email') }}
Sometimes you may wish to specify a custom error message only for a specific attribute. How can you do that?
You may do so using dot notation. Specify the attribute’s name first, followed by the rule:
$messages = [
'email.required' => 'We need to know your email address!',
];
Laravel provides a variety of helpful validation rules; however, you may wish to specify some of your own. One method of registering custom validation rules is using rule objects. Which command lets you generate a new rule object?
To generate a new rule object, you may use the make:rule Artisan command. Laravel will place the new rule in the app/Rules directory. If this directory does not exist, Laravel will create it when you execute the Artisan command to create your rule:php artisan make:rule Uppercase
Once the rule has been created, we are ready to define its behavior. A rule object contains a single method: validate. This method receives the attribute name, its value, and a call back that should be invoked on failure with the validation error message:
public function validate(string $attribute, mixed $value, Closure $fail): void
{
if (strtoupper($value) !== $value) {
$fail('The :attribute must be uppercase.');
}
}
If you only need toe functionality of a custom rule once throughout your application, how can you achieve that without making a rule object?
You may use a closure. The closure receives the attribute’s name, the attribute’s value, and a $fail callback that should be called if validation fails:
$validator = Validator::make($request->all(), [
'title' => [
'required',
'max:255',
function (string $attribute, mixed $value, Closure $fail) {
if ($value === 'foo') {
$fail("The {$attribute} is invalid.");
}
},
],
]);
What does the accepted rule do?
The field under validation must be “yes”, “on”, 1, “1”, true, or “true”. This is useful for validating “Terms of Service” acceptance or similar fields.
What does the active_url rule do?
The field under validation must have a valid A or AAAA record according to the dns_get_record PHP function. The hostname of the provided URL is extracted using the parse_url PHP function before being passed to dns_get_record
What does the after:date rule do?
The field under validation must be a value after a given date. The dates will be passed into the strtotime PHP function in order to be converted to a valid DateTime instance:'start_date' => 'required|date|after:tomorrow'
Instead of passing a date string to be evaluated by strtotime, you may specify another field to compare against the date:'finish_date' => 'required|date|after:start_date'
What does the after_or_equal:date rule do?
The field under validation must be a value after or equal to the given date.
What does the alpha rule do?
The field under validation must be entirely Unicode alphabetic characters contained in \p{L} and \p{M}.
To restrict this validation rule to characters in the ASCII range (a-z and A-Z), you may provide the ascii option to the validation rule:'username' => 'alpha:ascii',
What does the alpha_dash rule do?
Same as alpha_num, but also allows - and _
What does the alpha_num rule do?
The field under validation must be entirely Unicode alpha-numeric characters contained in \p{L}, \p{M}, and \p{N}.
To restrict this validation rule to characters in the ASCII range (a-z and A-Z), you may provide the ascii option to the validation rule:
‘username’ => ‘alpha_num:ascii’,
What does the array rule do?
The field under validation must be a PHP array.
When additional values are provided to the array rule, each key in the input array must be present within the list of values provided to the rule. In the following example, the admin key in the input array is invalid since it is not contained in the list of values provided to the array rule. In general, you should always specify the array keys that are allowed to be present within your array.
What does the ascii rule do?
The field under validation must be entirely 7-bit ASCII characters.
What does the bail rule do?
Stop running validation rules for the field after the first validation failure.
While the bail rule will only stop validating a specific field when it encounters a validation failure, the stopOnFirstFailure method will inform the validator that it should stop validating all attributes once a single validation failure has occurred:
if ($validator->stopOnFirstFailure()->fails()) {
// ...
}
What does the before:date rule do?
The field under validation must be a value preceding the given date. The dates will be passed into the PHP strtotime function in order to be converted into a valid DateTime instance. In addition, like the after rule, the name of another field under validation may be supplied as the value of date.
What does the before_or_equal:date rule do?
The field under validataion must be a value preceding or equal to the given date. The dates will be passed into the PHP strtotime function in order to be converted into a valid DateTime instance. In addition, like the after rule, the name of another field under validation may be supplied as the value of date.
What does the between:min,max rule do?
The field under validation must have a size between the given min and max (inclusive). Strings, numerics, arrays, and files are evaluated in the same fashion as the size rule.
What does the boolean rule do?
The field under validation must be able to be cast as a boolean. Accepted input are true, false, 1, 0, “1”, and “0”
What does the confirmed rule do?
The field under validation must have a matching field of {field}_confirmation. For example, if the field under validation is password, a matching password_confirmation field must be present in the input.
What does the contains:exa,mple,… rule do?
The field under validation must be an array that contains all of the given parameter values
What does the current_password rule do?
The field under validation must match the authenticated user’s password. You may specify an authentication guard using the rule’s first parameter:'password' => 'current_Password:api'
What does the date rule do?
The field under validation must be a valid, non relative date according to the strtotime PHP function
What does the date_equals:date rule do?
The field under validation must be equal to the given date. The dates will be passed into the PHP strtotime function in order to be converted into a valid DateTime instance
What does the date_format:format,… rule do?
The field under validation must match one of the given formats. You should use either date or date_format when validating a field, not both. This validation rule supports all formats supported by PHP’s DateTime class
What does the decimal:min,max rule do?
The field under validation must be numeric and must contain the specified number of decimal places:
// Must have exactly two decimal places (9.99)... 'price' => 'decimal:2' // Must have between 2 and 4 decimal places... 'price' => 'decimal:2,4'
What does the declined rule do?
The field under validation must be “no”, “off”, 0, “0”, false, or “false”.
What does the different:field rule do?
The field under validation must have a different value than field
What does the digits:value rule do?
The integer under validation must have the exact length of value
What does the digits_between:min,max rule do?
The integer validation must have a length between the given min and max.
What does the dimensions rule do?
The file under validation must be an image meeting the dimension constraints as specified by the rule’s parameters:'avatar' => 'dimensions:min_width=100,min_height=200'
Available constraints are: min_width, max_width, min_height, max_height, width, height, ratio.
A ratio constraint should be represented as width devided by height. This can be specified either by a fraction like 3/2 or a float like 1.5:'avatar' => 'dimensions:ratio=3/2'
Since this rule requires several arguments, you may use the Rule::dimensions method to fluently construct the rule:
Validator::make($data, [
'avatar' => [
'required',
Rule::dimensions()->maxWidth(1000)->maxHeight(500)->ratio(3 / 2),
],
]);
What does the distinct rule do?
When validating arrays, the field under validation must not have any duplicate values:'foo.*.id' => 'distinct'
Distinct uses loose variable comparisons by default. To use strict comparisons, you may add the strict parameter to your validation rule definition:'foo.*.id' => 'distinct:strict'
You may add ignore_case to the validation rule’s arguments to make the rule ignore capitalization differences:'foo.*.id' => 'distinct:ignore_case'
What does the doesnt_start_with:example,example2,… rule do?
The field under validation must not start with one of the given values.
What does the doesnt_end_with:example,example2,… rule do?
The field under validation must not end with one of the given values.
What does the email rule do?
The field under validation must be formatted as an email address. This validation rule utilizes the egulias/email-validator package for validating the email address. By default, the RFCValidation validator is applied, but you can apply other validation styles as well:'email' => 'email:rfc,dns'
The example will apply the RFCValidation and DNSCheckValidation validations. Here’s a full list of all other validation styles you can apply:
strict: NoRFCWarningsValidation spoof: SpoofCheckValidation filter: FilterEmailValidation filter_unicode: FilterEmailValidation::unicode()
What does the ends_with:example,example2,… rule do?
The field under validation must end with one of the given values.
What does the enum rule do?
The Enum rule is a class based rule that validates whether the field under validation contains a valid enum value. The Enum rule accepts the name of the enum as its only constructor argument. When validating primitive values, a backed Enum should be provided to the Enum rule.
The Enum rule’s only and except methods may be used to limit which enum cases should be considered valid:Rule::enum(ServerStatus::class)->only([ServerStatus::Pending, ServerStatus::Active]);
The when method may be used to conditionally modify the Enum rule:Rule::enum(ServerStatus::class)->when...
What does the exclude rule do?
The field under validation will be excluded from the request data returned by the validate and validated methods
What does the exclude_if:anotherfield,value rule do?
The field under validation will be excluded from the request data returned by the validate and validated methods if the anotherfield field is equal to value.
If complex conditional exclusion logic is required, you may utilize the Rule::excludeIf method. This method accepts a boolean or a closure. When given a closure, the closure should return true or false to indicate if the field under validation should be excluded:
Validator::make($request->all(), [
'role_id' => Rule::excludeIf($request->user()->is_admin),
]);
What does the exclude_unless:anotherfield,value rule do?
The field under validation will be excluded from the request data returned by the validate and validated methods unless anotherfield’s field is equal to value. If value is null (exclude_unless:name,null), the field under validation will be excluded unless the comparison field is null or the comparison field is missing from the request data
What does the exclude_with:anotherfield rule do?
The field under validation will be excluded from the request data returned by the validate and validated methods if the another field is present
What does the exclude_without:anotherfield rule do?
The field under validation will be excluded from the request data returned by the validate and validated methods if the anotherfield field is not present.
What does the exists:table,column rule do?
The field under validation must exist in a given database table
What does the extensions:example,example2,… rule do?
The file under validation must have a user-assigned extension corresponding to one of the listed extensions:'photo' => ['required', 'extensions:jpg,png'],
You should never rely on validating a file by its user-assigned extension alone. This rule should typically always be used in combination with the mimes or mimetypes rules.
What does the file rule do?
The field under validation must be a successfully uploaded file.
What does the filled rule do?
The field under validation must not be empty when it is present.
What does the gt:field rule do?
The field under validation must be greater than the given field or value. The two fields must be of the same type. Strings, numerics, arrays, and files are evaluated using th same conventions as the size rule
What does the gte:field rule do?
The field under validation must be greater than or equal to the given field or value. The two fields must be of the same type. Strings, numerics, arrays, and files are evaluated using the same conventions as the size rule.
What does the hex_color rule do?
The field under validation must contain a valid color value in hexadecimal format.
What does the image rule do?
The file under validation must be an image (jpg, jpeg, png, bmp, gif, svg, or webp).
What does the in:example,example2,… rule do?
The field under validation must be included in the given list of values. Since this rule often requires you to implode an array, the Rule::in method may be used to fluently construct the rule:
Validator::make($data, [
'zones' => [
'required',
Rule::in(['first-zone', 'second-zone']),
],
]);
When the in rule is combined with the array rule, each value in the input array must be present within the list of values provided to the in rule.
What does the in_array:anotherfield.* rule do?
The field under validation must exist in anotherfield’s values.
What does the integer rule do?
The field under validation must be an interger.
This validation rule does not verify that the input is of the “integer” variable type, only that the input is of a type accepted by PHP’s FILTER_VALIDATE_INT rule. If you need to validate the input as being a number please use this rule in combination with the numeric validation rule
What does the ip rule do?
The field under validation must be an IP address
What does the ipv4 rule do?
The field under validation must be an IPv4 address
What does the ipv6 rule do?
The field under validation must be an IPv6 address
What does the json rule do?
The field under validation must be a valid JSON string
What does the lt:field rule do?
The field under validation must be less than the given field. The two fields must be of the same type. Strings, numerics, arrays, and files are evaluated using the same conventions as the size rule
What does the lte:field rule do?
The field under validation must be less than or equal to the given field. The two fields must be of the same type. Strings, numerics, arrays, and files are evaluated using the same conventions as the size rule
What does the lowercase rule do?
The field under validation must be lowercase
What does the list rule do?
The field under validation must be an array that is a list. An array is considered a list if its keys consist of consecutive numbers from 0 to count($array) - 1
What does the mac_address rule do?
The field under validation must be a MAC address
What does the max:value rule do?
The field under validation must be less than or equal to a maximum value. Strings, numerics, arrays, and files are evaluated in the same fashion as the size rule
What does the max_digits:value rule do?
The integer under validation must have a maximum length of value
What does the mimetypes:text/plain,… rule do?
The file under validation must match one of the given MIME types:'video' => 'mimetypes:video/avi,video/mpeg,video/quicktime'
To determine the MIME type of the uploaded file, the file’s contents will be read and the framework will attempt to guess the MIME type, which may be different from the client’s provided MIME type
What does the mimes:example,example2,… rule do?
The file under validation must have a MIME type corresponding to one of the listed extensions:'photo' => 'mimes:jpg,bmp,png'
Even though you only need to specify the extensions, this rule actually validates the MIME type of the file by reading the file’s contents and guessing its MIME type.
This validation rule does not verify agreement between the MIME type and the extension the user assigned to the file. For example, the mimes:pnh validation rule would consider a file containing valid PNG content to be a valid PNG image, even if the file is named photo.txt. If you would like to validate the user assigned extension of the file, you may use the extensions rule.
What does the min:value rule do?
The field under validation must have a minimum value. Strings, numerics, arrays, and files are evaluated in the same fashion as the size rule.
What does the min_digits:value rule do?
The integer under validation must have a minumum length of value
What does the multiple_of:value rule do?
The field under validation must be a multiple of value
What does the missing rule do?
The field under validation must not be present in the input data
What does the missing_if:anotherfield,value,… rule do?
The field under validation must not be present if the anotherfield is equal to any value
What does the missing_unless:anotherfield,value rule do?
The field under validation must not be present unless the anotherfield field is equal to any value
What does the missing_with:example,example2 rule do?
The field under validation must not be present only if any of the other specified fields are present
What does the missing_with_all:example,example2,… rule do?
The field under validation must not be present only if all of the other specified fields are present
What does the not_in:example,example2,… rule do?
The field under validation must not be included in the given list of values. The Rule::notIn method may be used to fluently construct the rule:
Validator::make($data, [
'toppings' => [
'required',
Rule::notIn(['sprinkles', 'cherries']),
],
]);
What does the not_regex:pattern rule do?
The field under validation must not match the given regular expression.
Internally, this rule uses the PHP preg_match function. The pattern specified should obey the same formatiing required by preg_match and thus also include valid delimiters. For example: 'email' => 'not_regex:/^.+$/i'
When using the regex / not_regex patterns, it may be necessary to specify your validation rules using an array instead of using | delimiters, especially if the regular expression contains a | character
What does the nullable rule do?
The field under validation may be null
What does the numeric rule do?
The field under validation must be numeric
What does the present rule do?
The field under validation must exist in the input data.
What does the present_if:anotherfield,value,… rule do?
The field under validation must be present if the anotherfield field is equal to any value
What does the present_unless:anotherfield,value rule do?
The field under validation must be present unless the anotherfield field is equal to any value
What does the present_with:ex1,ex2,… rule do?
The field under validation must be present only if any of the other specified fields are present
What does the present_with_all:ex1,ex2,… rule do?
The field under validation must be present only if all of the other specified fields are present
What does the prohibited rule do?
The field under validation must be missing or empty. A field is “empty” if it meets one of the following criteria:
The value is null.
The value is an empty string.
The value is an empty array or empty Countable object.
The value is an uploaded file with an empty path.
What does the prohibited_if:anotherfield,value,… rule do?
The field under validation must be missing or empty if the anotherfield field is equal to any value. A field is “empty” if it meets one of the following criteria:
The value is null.
The value is an empty string.
The value is an empty array or empty countable object.
The value is an uploaded file with an empty path.
If complex conditional prohibition logic is required you may utilize the Rule::prohibitedIf method. This method accepts a boolean or a closure. When given a closure, the closure should return true or false to indicate if the field under validation should be prohibited:
Validator::make($request->all(), [
'role_id' => Rule::prohibitedIf($request->user()->is_admin),
]);
What does the prohibited_unless:anotherfield,value,… rule do?
The field under validation must be missing or empty unless the anotherfield field is equal to any value. A field is “empty” if it meets one of the following criteria:
The value is null.
The value is an empty string.
The value is an empty array or empty Countable object.
The value is an uploaded file with an empty path.
What does the prohibits:anotherfield,… rule do?
If the field under validation is not missing or empty, all fields in anotherfield must be missing or empty. A field is “empty” if it meets one of the following criteria:
The value is null.
The value is an empty string.
The value is an empty array or empty Countable object.
The value is an uploaded file with an empty path.
What does the regex:pattern rule do?
The field under validation must match the given regular expression.
Internally, this rule uses the PHP preg_match function. The pattern specified should obey the same formatting required by preg_match and thus also include valid delimiters. For example: 'email' => 'regex:/^.+@.+$/i'
When using the regex / not_regex patterns, it may be necessary to specify rules in an array instead of using | delimiters, especially if the regular expression contains a | character
What does the required rule do?
The field under validation must be present in the input data and not empty. A field is “empty” if it meets one of the following criteria:
The value is null.
The value is an empty string.
The value is an empty array or empty Countable object.
The value is an uploaded file with no path.
What does the required_if:anotherfield,value,… rule do?
The field under validation must be present and not empty if anotherfield field is equal to any value. If you would like to construct a more complex condition for the required_if rule, you may use the Rule::requiredIf method. This method accepts a boolean or a closure. When passed a closure, the closure should return true or false to indicate if the field under validation is required:
Validator::make($request->all(), [
'role_id' => Rule::requiredIf($request->user()->is_admin),
]);
What does the required_if_accepted:anotherfield,… rule do?
The field under validation must be present and not empty if the anotherfield field is equal to “yes”, “on”, 1, “1”, true, or “true”
What does the required_if_declined:anotherfield,… rule do?
The field under validation must be present and not empty if the anotherfield field is equal to “no”, “off”, 0, “0”, false, or “false”
What does the required_unless:another,value,… rule do?
The field under validation must be present and not empty unless the anotherfield field is equal to any value. This also means anotherfield must be present in the requestdata unless value is null. If value is null (required_unless:name,null), the field under validation will be required unless the comparison field is null or the comparison field is missing from the request data.
What does the required_with:ex1,ex2,… rule do?
The field under validation must be present and not empty only if any of the other specified fields are present and not empty
What does the required_with_all:ex1,ex2,… rule do?
The field under validation must be present and not empty only if all of the other specified fields are present and not empty
What does the required_without:ex1,ex2,… rule do?
The field under validation must be present and not empty only when any of the other specified fields are empty or not present
What does the required_without_all:ex1,ex2,… rule do?
The field under validation must be present and not empty only when all of the other specified fields are empty or not present
What does the required_array_keys:ex1,ex2,… rule do?
The field under validation must be an array and must contain at least the specified keys
What does the same:field rule do?
The given field must match the field under validation
What does the size:value rule do?
The field under validation must have a size matching the given value. For string data, value corresponds to the number of characters. For numeric data, value corresponds to a given integer value (the attribute must also have the numeric or integer rule). For an array, size corresponds to the count of the array. For files, size corresponds to the file size in kilobytes.
What does the starts_with:ex1,ex2,… rule do?
The field under validation must start with one of the given values
What does the string rule do?
The field under validation must be a string. If you would like to allow the field to also be null, you should assign the nullable rule to the field
What does the timezone rule do?
The field under validation must be a valid timezone identifier according to the DateTimeZone::listIdentifiers method.
The arguments accepted by the DateTimeZone::listIdentifiers method may also be provided to this validation rule:
‘timezone’ => ‘required|timezone:all’;
‘timezone’ => ‘required|timezone:Africa’;
‘timezone’ => ‘required|timezone:per_country,US’;
What does the unique rule do?
The field under validation must not exist within the given database table
What does the uppercase rule do?
The field under validation must be uppercase
What does the url rule do?
The field under validation must be a valid URL.
If you would like to specify the URL protocols that should be considered valid, you may pass the protocols as validation rule parameters:
'url' => 'url:http,https', 'game' => 'url:minecraft,steam',
What does the ulid rule do?
The field under validation must be a valid Universally Unique Lexicographically Sortable Identifier (ULID)
What does the uuid rule do?
The field under validation must be a valid RFC 4122 (version 1,3,4, or 5) universally unique identifier (UUID)
