Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

pthai-it-dev's avatar

Should I validate all query params GET request

Should I validate all query params GET request. And if yes, when should I do that? Thank you!

0 likes
7 replies
SilenceBringer's avatar

Ideally you should validate ALL parameters you need and use only the validated data. You can validate it in controller https://laravel.com/docs/9.x/validation#quick-writing-the-validation-logic or using form request https://laravel.com/docs/9.x/validation#form-request-validation - it's up to you

The next important part is to use validated data only

	$validated = $request->validate([
		// ...
    ]);

	YourModel::create($validated);

this way you can be sure you have expected data only. Do not use all query params

	YourModel::create(request()->all());
pthai-it-dev's avatar

@SilenceBringer so I have to create form request for each GET request I have? That's a lot of work. But still thank you for your answer!

kokoshneta's avatar

@pthai-it-dev Why would you need to create a form request? You don’t need a form request to validate request data, that’s built into the base request class itself.

Lumethys's avatar

@pthai-it-dev it called "form request" which mean that it only concern "form" request, which is POST (and maybe PUT, PATCH, DELETE if you are making an API)

the point is, anything that change data should be validated.

as for GET request, it should NEVER change any data, it simply return a view, or return some data, anything else from your app is unaffected

1 like
Lumethys's avatar

@pthai-it-dev short answer: yes

long answer: why are you validating data? because user can inject malicious data, and if unvalidated, may ruin your app

since GET request is supposed to unable to change any data, then even if your user inject malicious param, it simply does nothing, just make sue that any GET request doing anything to your data

kokoshneta's avatar

@pthai-it-dev If you only use GET params in ways that cannot change data, then you shouldn’t need to validate it. For example:

$user = User::find($request->id);

This should be fine, because even if someone has tried to maliciously insert an injection attack string into the URL, that string will be passed as a prepared parameter, which means the query will simply fail and not find any users.

If you’re sending data through GET requests and then use it to update or create data in your database, you definitely need to validate it first. But then you also need to look at your application logic, because such data shouldn’t be sent via GET requests in the first place.

1 like

Please or to participate in this conversation.