$ lexprog.com

// notes from an old coder -- php, databases, and the occasional rant

[March 01, 2024] Laravel

Laravel Request Validation: Custom Rules

Laravel Request Validation: Custom Rules

────────────────────────────────────────────────────────

Laravel Request Validation: Custom Rules

Tip: Create Reusable Rule Objects

class Uppercase implements Rule
{
    public function passes($attribute, $value): bool
    {
        return strtoupper($value) === $value;
    }

    public function message(): string
    {
        return 'The :attribute must be uppercase.';
    }
}

Gotcha: Rule Objects Don't Have Access to Other Fields

If you need to compare two fields, use a Form Request with rules():

public function rules(): array
{
    return [
        'end_date' => 'required|after:start_date',
    ];
}

Tip: Closure Rules for One-Offs

$request->validate([
    'title' => [
        'required',
        function ($attribute, $value, $fail) {
            if (str_contains($value, 'spam')) {
                $fail('The title contains spam.');
            }
        },
    ],
]);

Gotcha: after Hook Runs After Validation

Use $validator->after() for cross-field validation that can't be expressed with rules.

Tip: stopOnFirstFailure for Faster Feedback

protected $stopOnFirstFailure = true;

In Form Requests, stops validation after the first error.

Gotcha: Nullable Fields Skip Rules

If a field is nullable and null, subsequent rules are skipped. Use sometimes instead.

Tip: Use route:cache Carefully

php artisan route:cache is fast, but it doesn't work with closure-based routes. Every time you cache routes, Laravel serializes them. If you have Route::redirect() or closure callbacks, the cache breaks. Stick to controller-based routes in production.

Tip: Model APP_KEY Rotation

Rotating APP_KEY invalidates all encrypted data — cookies, encrypted DB columns, and password reset tokens. If you must rotate (e.g., after a leak), plan a migration that re-encrypts existing data with the new key.

Gotcha: Local Scope Leaks

Global scopes defined in booted() apply to ALL queries on that model — including relationships. An innocent User::all() in admin panel might exclude soft-deleted users if a global scope is active.

Senior Insight

Custom rule objects are underused in most Laravel projects I've reviewed. Instead of one-off Validator::extend() calls scattered across controllers, encapsulate complex validation logic in a Rule class. I once consolidated 15 similar validation checks scattered across 8 controllers into a single ValidPhoneNumber rule class — the bug fix success rate improved dramatically because there was one place to update.

Source: Laravel News (https://laravel-news.com/), Freek.dev (https://freek.dev/tags/laravel), Spatie Blog (https://spatie.be/blog)

────────────────────────────────────────────────────────
<-- back to posts