ohtyap / laravel-sane-validator
sane validation rule handling for laravel
Requires
- illuminate/validation: ^10|^11
Requires (Dev)
- illuminate/translation: ^11
- phpstan/phpstan: ^1.12
- phpunit/phpunit: ^11.0
This package is auto-updated.
Last update: 2025-03-18 11:01:18 UTC
README
This is a strongly opinionated patch of laravel's validator. When using the validator outside
of an HTTP POST scope (e.g., validating some data structures), you might notice some
shortcomings and unexpected behaviors from the validator. laravel-sane-validator tries
fixing them.
Installation
Install the package via composer:
composer require ohtyap/laravel-sane-validator
After that, declare to use laravel-sane-validator by setting the resolver in the validation factory:
public function boot(): void { $this->app->extend('validator', function (Factory $factory) { $factory->resolver(function (Translator $translator, array $data, array $rules, array $messages, array $attributes) { return new \Ohtyap\LaravelSaneValidator\Validator($translator, $data, $rules, $messages, $attributes); }); return $factory; }); }
Shortcomings of laravel's validator
The first shortcoming is how the validator is handling implicit rules in combination of empty strings. The following quote is taken from the laravel documentation:
By default, when an attribute being validated is not present or contains an empty string, normal validation rules, including custom rules, are not run.
This has the effect that input data might bypass your validation - especially when it comes to optional fields.
$rules = ['email' => 'email']; $data = ['email' => ' ']; Validator::make($data, $rules)->passes(); // true
In the above example, the expectation would be that the validator fails because the input (a space)
isn't (obviously) not a valid email address.
It's possible to enforce the validation of empty strings by using the required or filled rule. This is
not very intuitive for optional fields, and it is very easy to forget to add filled (or sometimes|required).
Moreover, this brings the second shortcoming: laravel is making assumptions about how a non-empty value should
look. It is impossible to pass null or [] - even if both are perfectly valid values - when using required.
Consequently, combinations like required|nullable aren't possible.
laravel-sane-validator behavior
When using this validator, implicit rules are always executed when the field is present in the input. That way, it is no longer possible for empty strings to bypass validation.
required (including the other special cases of required* like requiredIf ) has the same behavior
as present. It's only checking if the field is present in the input. More explicit evaluation of what is
considered valid is up to the developer and what is defined in the rules.
Special note about filled
filled is using the same behavior as in the original validator. An empty string is still considered
invalid (same for an empty array, null, etc.). But it is possible to declare rules like filled|nullable.
Strategies to start using laravel-sane-validator
By default you install and register laravel-sane-validator and you are good to go. But this might be troublesome
for existing and bigger application. A step-by-step approach might be a better way of changing the behavior of the
validation.
Enable the laravel-sane-validator behavior by default, disable is occasionally
# `laravel-sane-validator` behavior $validator = Validator::make($data, $rules); $validator->passes(); # laravel default behavior $validator = Validator::make($data, $rules); $validator->disableSaneValidation(); $validator->passes();
Disable the laravel-sane-validator behavior by default, enable is occasionally
public function boot(): void { \Ohtyap\LaravelSaneValidator\Validator::defaultEnableSaneValidation(false); }
# `laravel-sane-validator` behavior $validator = Validator::make($data, $rules); $validator->enableSaneValidation(); $validator->passes(); # laravel default behavior $validator = Validator::make($data, $rules); $validator->passes();