Skip Content

Input Validation Failures

What is an input validation failure?

An input validation failure happens when a web application does not properly verify the data provided by the user before processing it or using it. This means the application accepts any kind of input, even if it is malicious or does not match the expected format.

Impact of input validation failures

Input validation failures can significantly impact the security of a web application because they open the door to many attacks, including:

  • SQL Injection (SQLi): if the application does not validate input, an attacker may inject malicious code (such as SQL) that executes on the server. This can lead to data theft, unauthorized modification, or even server takeover.
  • Cross-Site Scripting (XSS): XSS abuses missing/weak validation to inject malicious code into web pages.
  • Denial of Service (DoS): if the application does not limit the amount or type of data it accepts, an attacker can send large or invalid payloads that overload the server.
  • Information disclosure: weak validation can lead to leaking sensitive information such as usernames, passwords, or configuration details.

How do input validation failures happen?

Input validation failures typically occur due to:

  • Missing validation: the application performs no checks on user input.
  • Insufficient validation: some validation exists, but it is not strict or complete enough to detect attacks.
  • Incorrect validation: validation exists but is implemented incorrectly or contains logic errors.
  • Overreliance on client-side validation: validation happens in the browser, but attackers can bypass it by modifying JavaScript or sending requests directly.

Mitigation for input validation failures

In Laravel, input validation can be implemented in controllers (see official Laravel Validation documentation) or via Form Requests (see Laravel Form Request Validation).

Validation in controllers

You can validate input directly in controllers using the validate() method on the Request object:

# UserController.php
 
namespace App\Http\Controllers;
 
use App\Models\User;
use Illuminate\Http\Request;
 
class UserController extends Controller
{
    public function store(Request $request)
    {
        $validateData = $request->validate([
            'name' => 'required|string|max:255',
            'email' => 'required|email|unique:users',
            'password' => 'required|min:8|confirmed'
        ]);
 
        User::create($validateData);
 
        ...
    }
 
    ...
}

In the example above, the validation enforces: name required, string, max length 255; email required, valid email format, unique in users; and password required, at least 8 characters, and matching the confirmation field.

Validation with Form Requests

For better organization and reusability of validation logic, create Form Request classes:

# terminal
 
php artisan make:request StoreUserRequest

This generates app/Http/Requests/StoreUserRequest.php. Inside it, define rules in the rules() method:

# StoreUserRequest.php
 
namespace App\Http\Requests;
 
use Illuminate\Foundation\Http\FormRequest;
 
class StoreUserRequest extends FormRequest
{
    ...
 
    public function rules(): array
    {
        return [
            'name' => 'required|string|max:255',
            'email' => 'required|email|unique:users',
            'password' => 'required|min:8|confirmed',
        ];
    }
 
    ...
}

Then use the Form Request in the controller:

# UserController.php
 
namespace App\Http\Controllers;
 
use App\Http\Requests\StoreUserRequest;
use App\Models\User;
 
class UserController extends Controller
{
    public function store(StoreUserRequest $request)
    {
        // Validation is performed in the StoreUserRequest
        $validateData = $request->validated();
 
        User::create($validateData);
 
        ...
    }
 
    ...
}

Customizing error messages

It is recommended to customize validation error messages in the messages() method:

# StoreUserRequest.php
 
namespace App\Http\Requests;
 
use Illuminate\Foundation\Http\FormRequest;
 
class StoreUserRequest extends FormRequest
{
    ...
 
    public function messages(): array
    {
        return [
            'name.required' => 'The name field is required',
            'name.string' => 'The name field must be a string',
            'name.max' => 'The name field must be less than :max characters',
            'email.required' => 'The email field is required',
            'email.email' => 'The email field is not valid',
            'email.unique' => 'The email address is already registered',
            'password.required' => 'The password field is required',
            'password.min' => 'The password field must be at least :min characters',
            'password.confirmed' => 'The passwords do not match',
        ];
    }
}

Additional security recommendations:

  • Use descriptive rule names to make validation logic easier to understand.
  • Prefer Laravel's built-in validation rules; create custom rules only when strictly necessary.
  • Consider adding client-side validation (JavaScript) for faster feedback, but never rely on it for security.
  • Keep validation code clean and organized to ease maintenance and evolution.