Security Tip: Don’t Trust User Input!

[Tip#7] Always pass user input through a validator to ensure you only get the data you're expecting.

Security Tip: Don’t Trust User Input!

👉 Looking to dive deeper into Laravel security? Check out Practical Laravel Security, my hands-on security course that uses interactive hacking challenges to teach you about how vulnerabilities work, so you can avoid them in your own code! 🕵️

👉 When was your last Security Audit or Penetration Test? Book in a Laravel Security Audit and Penetration Test today! 🕵️

Don’t trust user input.

Don’t trust user input.

And one more for good measure…

Don’t trust user input.

You should always pass user input through a validator before you use it, and here are  a few reasons why:

  1. It forces you to define explicit rules which state exactly what sort of input is allowed in each field.
  2. You’re far less likely to have unexpected data that causes your application to do unexpected things.
  3. You have control over which fields are passed into a model for mass-assignment.
  4. Your user interface can understand and display friendly errors to your users with minimal effort on your part.

Check out the docs for the many ways to use a validator in Laravel.

My preferred method is within controller actions on the Request object, or using a FormRequest object for more complicated forms.

 * Store a new blog post.
 * @param  \Illuminate\Http\Request  $request
 * @return \Illuminate\Http\Response
public function store(Request $request)
    $validated = $request->validate([
        'title'      => ['required', 'unique:posts', 'max:255'],
        'body'       => ['required', 'string'],
        'publish_at' => ['nullable', 'date'],

    // $validated contains only valid user input

    $post = Post::create($validated);

    // ...

Go forth and validate all the things! 😎