Skip to main content

What is validation?

Validation is the process of verifying that data submitted by the user meets the format and rules your application expects. Laravel provides a simple, expressive validation system built into the request object, with no third-party packages required.

Validating in a controller

Using $request->validate()

The most straightforward way to validate incoming data is to call $request->validate() inside a controller method. If validation fails, Laravel automatically redirects the user back to the previous page and stores the error messages in the session. First, define your routes: 
use App\Http\Controllers\PostController;

Route::get('/post/create', [PostController::class, 'create']);
Route::post('/post', [PostController::class, 'store']);
Then write the controller: 
<?php

namespace App\Http\Controllers;

use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\View\View;

class PostController extends Controller
{
    public function create(): View
    {
        return view('post.create');
    }

    public function store(Request $request): RedirectResponse
    {
        $validated = $request->validate([
            'title' => 'required|string|max:255',
            'body'  => 'required|string',
            'email' => 'required|email',
        ]);

        // Save the post using validated data...

        return redirect('/posts');
    }
}
Pass an array to validate where each key is a field name and each value is the validation rules for that field. You can express rules either as a pipe-delimited string or as an array: 
// Pipe-delimited
'title' => 'required|string|max:255',

// Array form
'title' => ['required', 'string', 'max:255'],

Common validation rules

RuleDescription
requiredThe field must be present and non-empty
stringThe field must be a string
emailThe field must be a valid email address
min:valueThe string length or numeric value must be at least the given value
max:valueThe string length or numeric value must not exceed the given value
unique:tableThe value must be unique in the given database table
nullableThe field may be null
integerThe field must be an integer
booleanThe field must be true, false, 1, or 0
dateThe field must be a valid date
confirmedThe field must match a corresponding field_confirmation field
For the full list of available validation rules, see the official documentation.

Using validated data

The validate method returns only the data that passed validation. Use this array directly — it contains nothing more than what you explicitly declared: 
$validated = $request->validate([
    'title' => 'required|string|max:255',
    'body'  => 'required|string',
]);

// $validated is ['title' => '...', 'body' => '...']
Post::create($validated);

Displaying errors in Blade

When validation fails, Laravel makes an $errors variable available in every view. The ShareErrorsFromSession middleware in the web middleware group handles this automatically.

Display all errors

@if ($errors->any())
    <ul>
        @foreach ($errors->all() as $error)
            <li>{{ $error }}</li>
        @endforeach
    </ul>
@endif

Display errors per field

Use the @error directive to show an inline error message for a specific field: 
<label for="title">Title</label>

<input
    id="title"
    type="text"
    name="title"
    value="{{ old('title') }}"
    class="@error('title') is-invalid @enderror"
/>

@error('title')
    <div class="error-message">{{ $message }}</div>
@enderror
Use old('field') to repopulate form fields with the user’s previous input after a validation failure.

Form request classes

When to use them

When validation logic becomes complex, extract it into a dedicated “form request” class. A form request encapsulates both the validation rules and the authorization check for a request.

Creating a form request

Use the make:request Artisan command: 
php artisan make:request StorePostRequest
This creates app/Http/Requests/StorePostRequest.php: 
<?php

namespace App\Http\Requests;

use Illuminate\Foundation\Http\FormRequest;

class StorePostRequest extends FormRequest
{
    /**
     * Determine if the user is authorized to make this request.
     */
    public function authorize(): bool
    {
        return true;
    }

    /**
     * Get the validation rules that apply to the request.
     *
     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
     */
    public function rules(): array
    {
        return [
            'title' => 'required|string|max:255',
            'body'  => 'required|string',
            'email' => 'required|email|unique:posts',
        ];
    }
}

The rules() method

Return your validation rules as an array, using the same format as $request->validate().

The authorize() method

Return true to allow the request, or false to automatically return a 403 response. You can check the authenticated user here. For tutorials, returning true is fine.
If authorize returns false, Laravel returns a 403 Forbidden response and the controller method is never called.

Using the form request in a controller

Type-hint the form request class on your controller method. Laravel validates and authorizes the request before your method is called, so you can skip writing any validation code inside the method: 
use App\Http\Requests\StorePostRequest;

class PostController extends Controller
{
    public function store(StorePostRequest $request): RedirectResponse
    {
        // Execution only reaches here if validation passed

        $validated = $request->validated();

        Post::create($validated);

        return redirect('/posts');
    }
}
Call $request->validated() to retrieve only the data that passed validation.

Practical example: a post creation form

Here is the full flow — from displaying a form to validating and saving the data.
1

Define routes

use App\Http\Controllers\PostController;

Route::get('/posts/create', [PostController::class, 'create']);
Route::post('/posts', [PostController::class, 'store']);
2

Create a form request

php artisan make:request StorePostRequest

public function rules(): array
{
    return [
        'title' => 'required|string|max:255',
        'body'  => 'required|string',
    ];
}

public function authorize(): bool
{
    return true;
}
3

Implement the controller

use App\Http\Requests\StorePostRequest;
use App\Models\Post;

class PostController extends Controller
{
    public function create(): View
    {
        return view('posts.create');
    }

    public function store(StorePostRequest $request): RedirectResponse
    {
        Post::create($request->validated());

        return redirect('/posts');
    }
}
4

Create the Blade template

{{-- resources/views/posts/create.blade.php --}}

<h1>New Post</h1>

@if ($errors->any())
    <ul>
        @foreach ($errors->all() as $error)
            <li>{{ $error }}</li>
        @endforeach
    </ul>
@endif

<form method="POST" action="/posts">
    @csrf

    <div>
        <label for="title">Title</label>
        <input
            id="title"
            type="text"
            name="title"
            value="{{ old('title') }}"
        />
        @error('title')
            <span>{{ $message }}</span>
        @enderror
    </div>

    <div>
        <label for="body">Body</label>
        <textarea id="body" name="body">{{ old('body') }}</textarea>
        @error('body')
            <span>{{ $message }}</span>
        @enderror
    </div>

    <button type="submit">Publish</button>
</form>
Always include the @csrf directive in your Blade forms. Without it, Laravel returns a 419 error.

Next steps

Controllers

Review how to organize request handling logic in controller classes.
Last modified on April 7, 2026