How does validation work in Laravel?

Question

Accepted Answer

Laravel provides a powerful, expressive **validation** system to ensure incoming request data meets your rules before processing — protecting against bad and malicious input. The simplest form is `$request->validate()`, with rules expressed as strings or arrays. ## Validating in a controller ```php public function store(Request $request) { $validated = $request->validate([ 'name' => 'required|string|max:100', 'email' => 'required|email|unique:users', // must be a unique email 'age' => 'nullable|integer|min:0|max:120', 'password' => 'required|min:8|confirmed', // requires password_confirmation ]); // if validation FAILS → automatically redirects back with errors (or 422 JSON for APIs) // if it PASSES → $validated holds the safe, validated data User::create($validated); } ``` `$request->validate()` checks the rules. **On failure**, Laravel automatically redirects back with error messages (for web forms) or returns a 422 JSON response with errors (for APIs) — you write no error-handling code. **On success**, you get the validated data. ## Common validation rules ```text required, nullable, sometimes present/absence rules string, integer, boolean, array type rules email, url, date, uuid format rules min:n, max:n, between:a,b size/range unique:table, exists:table database rules confirmed, same:field, different comparison in:a,b,c, regex:... value constraints ``` ## Displaying errors in Blade ```blade @error('email') {{ $message }} {{-- show the error for a field --}} @enderror {{-- old() repopulates after failure --}} ``` ## Form Request classes (for complex validation) ```php // php artisan make:request StoreUserRequest → extract validation into its own class class StoreUserRequest extends FormRequest { public function rules(): array { return ['name' => 'required', 'email' => 'required|email']; } } public function store(StoreUserRequest $request) { // validation runs automatically User::create($request->validated()); } ``` For complex or reusable validation, **Form Request** classes move rules out of the controller (validation runs automatically before the method) — keeping controllers clean. ## Why it matters Validation is essential for both **security and robustness** — since you must never trust user input, validating incoming data before processing it protects against malformed data and malicious attacks, and Laravel's validation system makes this clean and powerful. Understanding it is fundamental everyday knowledge, since nearly every endpoint that accepts input needs validation. The `$request->validate()` method is remarkably convenient — it checks rules and **automatically handles failures** (redirecting back with errors for forms, returning 422 JSON for APIs) without any manual error-handling code, while giving you the safe validated data on success. Knowing the expressive rule syntax (`required|email|unique:users`, etc.) covers most validation needs declaratively. For complex or reusable validation, **Form Request classes** keep controllers thin by extracting rules (with validation running automatically) — a best practice for maintainable code. Understanding Laravel's validation — the convenient `validate()` method, the rule syntax, automatic error handling, displaying errors in Blade with `old()` repopulation, and Form Requests — is important for building safe, robust applications, since input validation is a ubiquitous, security-critical requirement that Laravel handles elegantly.