Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Tarasovych's avatar

Better way to validate API request parameters

I have a GET request which return some data. I define a sort parameter. I need to validate it to prevent QueryException. What's the best way to do this as complex as possible?

My current sollution is

$validator = Validator::make($request->query(), [
            'sort' => [
                'string',
                'regex:...'
            ]
        ]);

        if ($validator->fails()) {
            return response(
                $validator->errors(),
                400
            );
        }

My regex matches some fields which might be sortable and order (e. g. name|asc, created_at|desc) and it's very huge and non-scaleable. If I rename some fields? If I need to add some more fields to sort? Can't answer about what I'd do than with my regex. Maybe there are some better ways to validate request parameters? Thanks.

P. S. One more problem is that 2nd parameter (asc/desc) ins't required for orderBy()- and now I use explode() to get column name and direction. When direction is empty, I have to check array lenght in addition.

0 likes
3 replies
bobbybouwmann's avatar
bobbybouwmann
8 years ago
Best Answer
Level 88

Not really sure why you need query parameter validation. Instead I would probably build in some checks to handle that. Something like this

public function show(Request $request)
{
    if ($request->has('sort')) {
        // sort the data by the sort field
    }

    // And so on
}

With this approach you are more free to use query parameters. In general I would recommend you to stay as far away from get parameters as possible. Once you use them you start to use them for more and more and then you have 10 options and after that 12 and so on!

1 like
Tarasovych's avatar

@bobbybouwmann Thanks! I need query parameter validation for next reason - here I handle request with sort:

if ($request->sort) {
            $sort = explode('|', $request->sort);
            $field = $sort[0];
            $direction = $sort[1];
            $phones = $phones->orderBy($field, $direction);
        }

If there'd be something like ?sort=unexisted_column|bad_direction, I'll get an Exception on orderBy().

In general I would recommend you to stay as far away from get parameters as possible.

How can I replace my current approach? Create separate but more simpler GET endpoints?

bobbybouwmann's avatar

Well one option to stay away from it is using ajax calls to sort the results in your views. You can then post your data or do a get request with data to the API.

Of course you should validate your get parameters if you want to user them. Also instead of using a | I would recommend you to use separated fields. So something like this

example.com/posts?sortBy=title&sortOrder=desc

This way you can easily validate the object. Also validating the sortOrder is easy right

$direction = strtolower($request->get('sortOrder', 'asc')); 
if (!in_array($direction, ['asc', 'desc']) {
    $direction = 'asc';
}

This way you can leave of the field. By default it will be asc and if you pass in an invalid value you will switch it back to asc.

1 like

Please or to participate in this conversation.