Using Laravel Form Requests for validation and authorization
Jul 13, 2025 am 02:39 AMForm Request is a special class in Laravel for handling form validation and permission control, implemented by inheriting Illuminate\Foundation\Http\FormRequest. It encapsulates verification rules in rules() methods, such as verification rules that define titles and content, and supports dynamic adjustment rules such as excluding uniqueness checks for the current article ID. Permission control is implemented through the authorize() method, which can be used to determine whether the operation is allowed to be executed based on the user role or the authorization policy (Policy). In addition, Form Request also supports preprocessing data, custom error prompts, and attribute names, such as cleaning inputs through prepareForValidation(), and providing friendly prompts using messages() and attributes(). It is recommended to divide the Form Request class by business scenario and use it in conjunction with Policy to improve code maintainability.
In Laravel, Form Requests is a very useful tool if you need to handle both form validation and permission control. It extracts verification logic from the controller, not only making the code clearer, but also handling authorization checks in a unified manner to avoid bloated controllers.

What is Form Request?
Form Request is a class provided by Laravel that is specifically used to handle form requests. It is essentially a custom request class inherited from Illuminate\Foundation\Http\FormRequest
, which can contain verification rules, authorization logic, and even preprocess input data.

You can create a Form Request through the Artisan command:
php artisan make:request StorePostRequest
The generated class will be placed in the app/Http/Requests
directory (if this directory is not available, Laravel will be automatically created).

How to use Form Request for verification?
Verification is one of the core features of Form Request. You just need to return an array-like verification rule in rules()
method.
For example, suppose you want to create an article publishing request, requiring the title to be at least 5 characters, and the content must exist:
public function rules() { Return [ 'title' => 'required|string|min:5', 'content' => 'required|string', ]; }
These rules are executed before the request reaches the controller. If the verification fails, Laravel will automatically return the 422 status code and error message, without you having to make a manual judgment in the controller.
In addition, you can dynamically adjust the rules based on the request, such as excluding the uniqueness verification of the current article ID when editing:
public function rules() { Return [ 'title' => 'required|string|min:5|unique:posts,title,' . $this->post?->id, ]; }
How to do permission control in Form Request?
In addition to verification, Form Request also provides an authorize()
method to determine whether the current user has permission to initiate this request.
For example, only administrators can create articles:
public function authorize() { return $this->user()->isAdmin(); }
Or more specifically control the editing permissions of an article:
public function authorize() { $post = Post::find($this->route('post')); return $this->user()->can('update', $post); }
Laravel's authorization policy is used here to ensure that the user has permission to operate the corresponding model. If false is returned, Laravel will automatically return a 403 response.
This way, the permission judgment is also concentrated in the request object, rather than scattered in the various controllers.
Practical usage suggestions
- Divide Form Request by business : Do not reuse the same Form Request to deal with multiple different scenarios in order to save trouble. For example, it is best to separate two categories of "create articles" and "edit articles".
- Use authorization logic in combination with Policy : This allows authorization logic to be clearer and can be reused elsewhere.
- Preprocess data using
prepareForValidation
appropriately : for example, clear spaces, format time, etc., process the data in advance before entering the verification process. - Customize error message and attribute names :
messages()
andattributes()
methods can make the error prompts more friendly.
For example:
public function messages() { Return [ 'title.required' => 'Title cannot be empty', 'content.min' => 'The content cannot be less than:min word', ]; } public function attributes() { Return [ 'title' => 'Article Title', 'content' => 'Article content', ]; }
A last tip
If you use multiple Form Requests in a controller method, note that they all perform verification and authorization in turn. In other words, as long as one of them fails, it will not continue to execute.
In addition, the Form Request class itself can also inject dependencies, such as database services or other help classes, so that you can make more complex judgments when verifying or authorizing.
Basically that's it. Using Form Request rationally can make your controller cleaner and make verification and authorization logic easier to maintain.
The above is the detailed content of Using Laravel Form Requests for validation and authorization. For more information, please follow other related articles on the PHP Chinese website!

Hot AI Tools

Undress AI Tool
Undress images for free

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

Notepad++7.3.1
Easy-to-use and free code editor

SublimeText3 Chinese version
Chinese version, very easy to use

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Hot Topics

Efficient methods for testing Laravel API interfaces include: 1) using Laravel's own testing framework and third-party tools such as Postman or Insomnia; 2) writing unit tests, functional tests and integration tests; 3) emulating a real request environment and managing database status. Through these steps, the stability and functional integrity of the API can be ensured.

Custom Laravel user authentication logic can be implemented through the following steps: 1. Add additional verification conditions when logging in, such as mailbox verification. 2. Create a custom Guard class and expand the authentication process. Custom authentication logic requires a deep understanding of Laravel's authentication system and pay attention to security, performance and maintenance.

Integrating social media login in the Laravel framework can be achieved by using the LaravelSocialite package. 1. Install the Socialite package: use composerrequirelaravel/socialite. 2. Configure the service provider and alias: add relevant configuration in config/app.php. 3. Set API credentials: Configure social media API credentials in .env and config/services.php. 4. Write controller method: Add redirection and callback methods to handle social media login process. 5. Handle FAQs: Ensure user uniqueness, data synchronization, security and error handling. 6. Optimization practice:

The steps to create a package in Laravel include: 1) Understanding the advantages of packages, such as modularity and reuse; 2) following Laravel naming and structural specifications; 3) creating a service provider using artisan command; 4) publishing configuration files correctly; 5) managing version control and publishing to Packagist; 6) performing rigorous testing; 7) writing detailed documentation; 8) ensuring compatibility with different Laravel versions.

Implementing password reset function in Laravel requires the following steps: 1. Configure the email service and set relevant parameters in the .env file; 2. Define password reset routes in routes/web.php; 3. Customize email templates; 4. Pay attention to email sending problems and the validity period of tokens, and adjust the configuration if necessary; 5. Consider security to prevent brute-force attacks; 6. After the password reset is successful, force the user to log out of other devices.

Common security threats in Laravel applications include SQL injection, cross-site scripting attacks (XSS), cross-site request forgery (CSRF), and file upload vulnerabilities. Protection measures include: 1. Use EloquentORM and QueryBuilder for parameterized queries to avoid SQL injection. 2. Verify and filter user input to ensure the security of output and prevent XSS attacks. 3. Set CSRF tokens in forms and AJAX requests to protect the application from CSRF attacks. 4. Strictly verify and process file uploads to ensure file security. 5. Regular code audits and security tests are carried out to discover and fix potential security vulnerabilities.

Middleware is a filtering mechanism in Laravel that is used to intercept and process HTTP requests. Use steps: 1. Create middleware: Use the command "phpartisanmake:middlewareCheckRole". 2. Define processing logic: Write specific logic in the generated file. 3. Register middleware: Add middleware in Kernel.php. 4. Use middleware: Apply middleware in routing definition.

Laravel provides a variety of strategies to ensure data security: 1. Use Cryptfacade to encrypt data to protect sensitive information. 2. Enable access control through authorization policies (AuthorizationPolicies) to prevent data leakage. 3. Adjust logging policy and use log rotation to avoid sensitive data leakage.
