1. Form
First, we need to learn the ways to secure forms in Laravel. To secure forms in Laravel, you can use several ways as follows:
- Use CSRF token: CSRF stands for Cross-Site Request Forgery , which is an attack method where an attacker can forge a request from a user to a web application. Laravel provides CSRF token to solve this problem. You can use the @csrf directive to add a CSRF token to your form.
1 2 3 4 5 | <form method="POST" action="/example"> @csrf // ... </form> |
- Use HTTPS: HTTPS is a protocol that secures and encrypts data on the network. Using HTTPS will help prevent attackers from forging user requests.
- Use validation: Laravel provides validation rules to check the data sent by the user. You should check your inputs to make sure they are not hacked.
Above are some ways to secure forms in Laravel. However, this is only part of securing your web application. You should learn more about web security to ensure that your application is secure and free from attacks.
2. Validation
Validation for what?
Validation is used to check the validity of data entered by the user before processing the data or saving it in the database. It helps ensure that imported data meets predefined requirements and constraints, helps avoid unexpected data errors, and increases application security.
Here is a simple example of validation in a Laravel controller:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | <?php namespace AppHttpControllers; use IlluminateHttpRequest; use IlluminateSupportFacadesValidator; class UserController extends Controller { public function store(Request $request) { $validator = Validator::make($request->all(), [ 'name' => 'required|max:255', 'email' => 'required|email|unique:users,email|max:255', 'password' => 'required|min:6|max:255', ]); if ($validator->fails()) { return redirect('register') ->withErrors($validator) ->withInput(); } // Nếu dữ liệu hợp lệ, lưu vào cơ sở dữ liệu User::create([ 'name' => $request->input('name'), 'email' => $request->input('email'), 'password' => Hash::make($request->input('password')), ]); // Chuyển hướng về trang đăng nhập return redirect('login'); } } |
- In this example, we define a store() function to handle the user registration request. First, we use the Validator::make() function to create a validator object and pass in the registration data sent from the user and the validation rules.
- In this case, we are checking to see if the “name” field is required, cannot exceed 255 characters, the “email” field is in the correct email format, there are no duplicates in the database, and can be more than 255 characters, and the “password” field is mandatory, cannot be shorter than 6 characters, and cannot exceed 255 characters.
- If the validator detects that the data is invalid, it returns a $validator object with specific error messages. We use the withErrors() method to pass this validator object to the registration view so that the user can see where his error is and can correct the data. We also use the withInput() method to retain the user entered values on the form.
- If the data is valid, we save the user data in the database and redirect the user to the login page.
Looking at the above we see that this Controller seems to be taking on a lot of work, with simple logic handling we already have to spend quite a few lines of code, if the logic is complicated with more validation, the code will really messed up. This is where we need the Form Request .
Create Form Request
We can create FormRequest via artisan command:
1 2 | php artisan make:request StoreBlogPostRequest |
This command will create for us the StoreBlogPostRequest file at AppHttpRequests. This file includes two default methods, authorize() and rules().
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | namespace AppHttpRequests; use IlluminateFoundationHttpFormRequest; class StoreBlogPostRequest extends FormRequest { /** * Determine if the user is authorized to make this request. * * @return bool */ public function authorize() { return true; } /** * Get the validation rules that apply to the request. * * @return array */ public function rules() { return [ 'title' => 'required|max:255', 'body' => 'required', 'email' => [ 'required', 'email', Rule::unique('users')->ignore($this->user), ], ]; } } |
In this example, we have created a Form Request StoreBlogPostRequest with two fields title and body. The rules() method defines the validation rules that apply to these fields.
However, in some cases, we may want to add rules or check additional data after validation. For example, check if an email already exists in the database, or add some complicated condition to check the validity of the data. To do this, we can use the withValidator() method. . This method takes a Validator object as a parameter and allows us to add rules or check additional data.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | namespace AppHttpRequests; use IlluminateFoundationHttpFormRequest; use IlluminateValidationRule; class UserRequest extends FormRequest { public function rules() { return [ 'name' => 'required|string', 'email' => [ 'required', 'email', Rule::unique('users')->ignore($this->user), ], 'password' => 'required|string|min:6', ]; } public function withValidator($validator) { $validator->after(function ($validator) { if ($validator->errors()->isEmpty()) { $email = $this->input('email'); if ($this->user->email !== $email && User::where('email', $email)->exists()) { $validator->errors()->add('email', 'Email already exists.'); } } }); } } |
Here, we used the after() method of the validator to add a closure to check if the email already exists in the database after the data is validated. If there is an error, we will add the error to the validator using the add() method of the validator. If there is no error, the next logic will be executed in the Controller.
Then you can use the Form Request in the Controller like so:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | namespace AppHttpControllers; use AppHttpRequestsStoreBlogPostRequest; class BlogController extends Controller { /** * Store a newly created resource in storage. * * @param AppHttpRequestsStoreBlogPostRequest $request * @return IlluminateHttpResponse */ public function store(StoreBlogPostRequest $request) { // Xử lý dữ liệu sau khi đã được validate } } |
In the above code, we have used the Form Request StoreBlogPostRequest in the store() method of the BlogController Controller. This will help Laravel automatically execute the validation rules and return the corresponding error messages if the data is invalid. If the data is valid, we can continue to process the data in the store() method.
To display the validation error message, you can use the messages() method in the Form Request or the validate() method in the controller. If you use the messages() method in the Form Request, you can define custom error messages for each validation rule.
For example, to define the error message in the example above, we could modify the rules() method as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | namespace AppHttpRequests; use IlluminateFoundationHttpFormRequest; class StoreBlogPostRequest extends FormRequest { /** * Determine if the user is authorized to make this request. * * @return bool */ public function authorize() { return true; } /** * Get the validation rules that apply to the request. * * @return array */ public function rules() { return [ 'title' => 'required|max:255', 'body' => 'required', ]; } /** * Get the error messages for the defined validation rules. * * @return array */ public function messages() { return [ 'title.required' => 'Vui lòng nhập tiêu đề bài viết', 'title.max' => 'Tiêu đề bài viết không được vượt quá :max ký tự', 'body.required' => 'Vui lòng nhập nội dung bài viết', ]; } } |
In this example, we have customized the error messages for each validation rule. For example, if the user does not enter a title, Laravel will return the error message “Please enter a title” instead of “The title field is required.” default.
How to display error in view after validation?
To display validation error messages in the view, you can use the $errors variable. This variable is an instance of the IlluminateSupportMessageBag class and contains the validation error messages.
In the view, you can use the has() method to check if the $errors variable contains an error message. If so, you can use the first() method to get the first error message. For example:
1 2 3 4 5 6 | @if ($errors->has('title')) <div class="alert alert-danger"> {{ $errors->first('title') }} </div> @endif |
Here, we use the has(‘title’) method to check if there is an error message for the title field. If so, we display the first error message for this field using the first(‘title’) method.
Thank you for reading, hope the article can be useful