Today's post is again a little bit about the obvious thing, data validation. Why you need validation, how to use it, custom rules, and why you need to use a Form Request for validation.
If we talk about the projects that I came across on freelancing, very often receiving data from a user looked like this: What is the problem? With such receipt of data from the user, the developer opens up the possibility of carrying out two types of attacks on his application:
- XSS (Cross-Site Scripting — «ΠΌΡΠΆΡΠ°ΠΉΡΠΎΠ²ΠΈΠΉ ΡΠΊΡΠΈΠΏΡΠΈΠ½Π³») — Π΄ΠΎΡΠΈΡΡ ΠΏΠΎΡΠΈΡΠ΅Π½Π° Π²ΡΠ°Π·Π»ΠΈΠ²ΡΡΡΡ, ΡΠΊΡ ΠΌΠΎΠΆΠ½Π° Π²ΠΈΡΠ²ΠΈΡΠΈ Π² Π±Π°Π³Π°ΡΡΠΎΡ Π²Π΅Π±-Π΄ΠΎΠ΄Π°ΡΠΊΠ°Ρ . ΠΡ ΡΡΡΡ Π΄ΠΎΡΠΈΡΡ ΠΏΡΠΎΡΡΠ°, Π·Π»ΠΎΠ²ΠΌΠΈΡΠ½ΠΈΠΊΡ Π²Π΄Π°ΡΡΡΡΡ Π²ΠΏΡΠΎΠ²Π°Π΄ΠΈΡΠΈ Π½Π° ΡΡΠΎΡΡΠ½ΠΊΡ JavaScript-ΠΊΠΎΠ΄, ΡΠΊΠΈΠΉ Π½Π΅ Π±ΡΠ»ΠΎ ΠΏΠ΅ΡΠ΅Π΄Π±Π°ΡΠ΅Π½ΠΎ ΡΠΎΠ·ΡΠΎΠ±Π½ΠΈΠΊΠ°ΠΌΠΈ.
- SQL-ΡΠ½'ΡΠΊΡΡΡ (SQL-injection) - ΡΠ΅ Π²ΡΠ°Π·Π»ΠΈΠ²ΡΡΡΡ Π²Π΅Π±-Π±Π΅Π·ΠΏΠ΅ΠΊΠΈ, ΡΠΊΠ° Π΄ΠΎΠ·Π²ΠΎΠ»ΡΡ Π·Π»ΠΎΠ²ΠΌΠΈΡΠ½ΠΈΠΊΡ Π²ΡΡΡΡΠ°ΡΠΈΡΡ Π² Π·Π°ΠΏΠΈΡΠΈ, ΡΠΊΡ Π΄ΠΎΠ΄Π°ΡΠΎΠΊ ΡΠΎΠ±ΠΈΡΡ Π΄ΠΎ ΡΠ²ΠΎΡΡ Π±Π°Π·ΠΈ Π΄Π°Π½ΠΈΡ . Π―ΠΊ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ, ΡΠ΅ Π΄ΠΎΠ·Π²ΠΎΠ»ΡΡ ΠΏΠ΅ΡΠ΅Π³Π»ΡΠ΄Π°ΡΠΈ Π΄Π°Π½Ρ, ΡΠΊΡ Π²ΡΠ½ Π·Π°Π·Π²ΠΈΡΠ°ΠΉ Π½Π΅ ΠΌΠΎΠΆΠ΅ ΠΎΡΡΠΈΠΌΠ°ΡΠΈ. Π¦Π΅ ΠΌΠΎΠΆΡΡΡ Π±ΡΡΠΈ ΡΠ½ΡΡ ΠΊΠΎΡΠΈΡΡΡΠ²Π°ΡΡ, Π°Π±ΠΎ Π±ΡΠ΄Ρ-ΡΠΊΡ ΡΠ½ΡΡ Π΄Π°Π½Ρ, Π΄ΠΎΡΡΡΠΏ Π΄ΠΎ ΡΠΊΠΈΡ ΠΌΠ°Ρ ΡΠ°ΠΌ Π΄ΠΎΠ΄Π°ΡΠΎΠΊ. Π£ Π±Π°Π³Π°ΡΡΠΎΡ Π²ΠΈΠΏΠ°Π΄ΠΊΠ°Ρ Π·Π»ΠΎΠ²ΠΌΠΈΡΠ½ΠΈΠΊ ΠΌΠΎΠΆΠ΅ Π·ΠΌΡΠ½ΡΠ²Π°ΡΠΈ Π°Π±ΠΎ Π²ΠΈΠ΄Π°Π»ΡΡΠΈ ΡΡ Π΄Π°Π½Ρ, Π²ΠΈΠΊΠ»ΠΈΠΊΠ°ΡΡΠΈ ΠΏΠΎΡΡΡΠΉΠ½Ρ Π·ΠΌΡΠ½ΠΈ Ρ Π²ΠΌΡΡΡΡ Π°Π±ΠΎ ΠΏΠΎΠ²Π΅Π΄ΡΠ½ΡΡ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΈ.
So, first of all, validation is aimed at ensuring the security of data in the application, and secondly, validation guarantees the correctness of the data, entered by the user, and helps to avoid incorrect data in the database.
There are several ways to validate data in Laravel:
- ΠΠΈΠΊΠΎΡΠΈΡΡΠ°Π½Π½Ρ ΠΌΠ΅ΡΠΎΠ΄Ρ
validate
ΡΠΊΠΈΠΉ ΡΠ΅Π°Π»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠΉ Π² ΡΡΠ΅ΠΉΡΡ ValidatesRequests. ΠΠ° Π·Π°ΠΌΠΎΠ²ΡΡΠ²Π°Π½Π½ΡΠΌ ΡΡΡ ΠΊΠΎΠ½ΡΡΠΎΠ»Π΅ΡΠΈ, ΡΠΊΡ ΡΠΎΠ·ΡΠΈΡΡΡΡΡ Π±Π°Π·ΠΎΠ²ΠΈΠΉ ΠΊΠΎΠ½ΡΡΠΎΠ»Π΅Ρ Π½Π°ΡΠ»ΡΠ΄ΡΡΡΡ ΡΠ΅ΠΉ ΡΡΠ΅ΠΉΡ. Π‘Π°ΠΌ ΠΌΠ΅ΡΠΎΠ΄validate
ΠΏΡΠΈΠΉΠΌΠ°Ρ Π² ΡΠ΅Π±Π΅ ΠΎΠ±'ΡΠΊΡ ΠΊΠ»Π°ΡΡ Illuminate\Http\Request, ΠΌΠ°ΡΠΈΠ² ΠΏΡΠ°Π²ΠΈΠ» Π΄Π»Ρ Π²Π°Π»ΡΠ΄Π°ΡΡΡ ΠΏΠΎΠ»ΡΠ², ΠΌΠ°ΡΠΈΠ² Π· ΠΊΠ°ΡΡΠΎΠΌΠ½ΠΈΠΌΠΈ ΠΌΠ΅ΡΠ΅Π΄ΠΆΠ°ΠΌΠΈ Π΄Π»Ρ Π²ΠΈΠ²ΠΎΠ΄Ρ ΠΏΠΎΠΌΠΈΠ»ΠΎΠΊ, ΡΠ° ΠΌΠ°ΡΠΈΠ² Π· ΠΊΠ°ΡΡΠΎΠΌΠ½ΠΈΠΌΠΈ Π°ΡΡΠΈΠ±ΡΡΠ°ΠΌΠΈ ΠΎΡΡΠ°Π½Π½Ρ Π΄Π²Π° Π½Π΅ Ρ ΠΎΠ±ΠΎΠ²'ΡΠ·ΠΊΠΎΠ²ΠΈΠΌΠΈ. Π’ΠΎΠΌΡ Π²ΠΈΠΊΠΎΠ½Π°ΡΠΈ Π²Π°Π»ΡΠ΄Π°ΡΡΡ Π΄Π°Π½ΠΈΡ ΠΌΠΎΠΆΠ»ΠΈΠ²ΠΎ ΠΎΠ΄ΡΠ°Π·Ρ Π² ΠΊΠΎΠ½ΡΡΠΎΠ»Π΅ΡΡ, Π·Π°ΡΠΎΠ±Π°ΠΌΠΈ ΡΠ°ΠΌΠΎΠ³ΠΎ ΠΊΠΎΠ½ΡΡΠΎΠ»Π΅Π»Π° Ρ Π²ΠΈΠ³Π»ΡΠ΄Π°Ρ ΡΠ΅ ΡΠ°ΠΊ:
2. It is also possible to use the method of the Illuminate\Http\Request class itself, which takes almost the same data as in the previous example, with the exception of the object $request
of the validate
class .
3. Another way to validate is to create a validator manually using the Illuminate\Validation\Validator façade and its methodmake
. The first argument passed to the make
method receives the data to be tested. The second argument is the validation rules that should be applied to the data.
4. In my opinion, this method is the most correct from an architectural point of view. The use of validation through a separate class that implements the Form Request allows you to solve one of the main principles of SOLID - the Single Responsibility Principle. Laravel already has an implemented command to create the Form Request:php artisan make:
request NewValidationRequest class
This command will create the next class in app/Http/Requests, by default the class is created with two methods authorize
and rules
. The method allows you to implement the logic of checking whether the user has the necessary permissions to execute the request. If it returns, the query will continue to the method authorize
rules
for validation. If authorize
authorize
it returnstrue
false
, the user will be redirected to the error page or processed according to the specified custom logic. Method rules
stores and returns an array of rules against which the input data will be checked. This class can be extended by messages
implementing methods and , which in turn will return custom messages for validation errors, and attributes
custom names for attributions.
It is possible to get clean data in the controller when using the Form Request class in the same way as when using a regular validator of the Request:
I will not copy-paste class, and list all available rules for validation. The official documentation describes all possible rules https://laravel.com/docs/10.x/validation#available-validation-rules, but if these rules aren't enough to cover all of your fields, Laravel has a mechanism to create your own custom validation rules.
This mechanism allows you to create your own validation rules that meet the specific needs of your application. To create a new rule, use the command:php artisan make:
rule CustomValidationRule
It creates a new rule in the app/Rules folder, and the class itself implements only 2 methodspasses
, which should contain the logic by which the field will be checked and message
which stores the message when the data is invalid.
In order to use this rule in validation, it is enough to add it to the rule array:There are also several ways to receive and handle errors, depending on the option by which the data is validated. If you need to get errors when using the Validator class, then all errors can be obtained by referring to errors
the :And if an object of the Request class was used for validation, then you can get errors from the session:
In the case when you need to handle errors in blade files, a $errors
global variable is inserted there, which automatically becomes available for all layouts, and is also an instance of the MessageBag class.
Or, if you need to display a specific error, for example, a helper directive is used for one field@error