No Compromises

Validation may seem boring, but it's a vital part of any Laravel application. Joel and Aaron share some tips on validation along with exciting news about a new resource to master Laravel validation rules.

Sign up for our Laravel tips newsletter!
Find out more about Mastering Laravel Validation Rules.

Creators & Guests

Host
Aaron Saray
Host
Joel Clermont

What is No Compromises?

Two seasoned salty programming veterans talk best practices based on years of working with Laravel SaaS teams.

Joel Clermont (00:00):
Welcome to No Compromises, a peek into the mind of two old web devs who have seen some things. This is Joel.

Aaron Saray (00:08):
And this is Aaron. Joel, have you ever heard of War Games?

Joel Clermont (00:18):
I've heard of the movie. Is that what you're talking about?

Aaron Saray (00:20):
Besides that. In the security and hacker community, there's this concept called War Games. What they do is someone who's very good at setting up scenarios and thinking of attack vectors will set up a number of increasingly difficult stages on websites or servers, and then you try to hack into them, find a security hole. Sometimes they call it Capture The Flag too because you go from this place-

Joel Clermont (00:52):
Okay. Yeah, I played that.

Aaron Saray (00:54):
... to capture whatever, and you move on through the thing. That's kind of where I started out in my career, is much more in that area. I guess wherever you start out kind of shapes your thinking. Earlier, I think I also mentioned I did some tech support, so I've always had a little bit of a empathetic yet you're out to attack me attitude. Which is a weird combination.

Joel Clermont (01:23):
The empathetic paranoia.

Aaron Saray (01:25):
Yeah, exactly.

Joel Clermont (01:27):
Okay.

Aaron Saray (01:27):
You're a great person but why are you trying to attack me? So because of that, I'm always thinking about security related things. Especially now, we're hearing about the news all the time stuff being leaked and all this kind of stuff, and people thinking, "It's not going to happen to me though." And pretty much we've seen it's going to happen to everyone all the time. One of the interesting things about those stories though is, except for a few, they don't ever really get down deep and tell you what happened.

Joel Clermont (01:56):
Right.

Aaron Saray (01:56):
They're just going to say, "This was hacked," or whatever. And it kind of gives that company, and maybe those programmers, a bad name too. Like, what actually happened? How did they actually get in there, right?

Joel Clermont (02:08):
Yeah.

Aaron Saray (02:08):
So for me, not only do I want to keep my stuff safe, I just don't like the fact that someone could hack into my stuff. I also think about my name or my company's names or my clients, I want to protect them because no one goes in deeper and thinks about what actually happened. If you made some software and someone hacked, it it's going to look bad on you. That's kind of one of the reasons why I started really thinking a lot more about validation in Laravel. I like to use a lot of the validation to look for little security holes or things that people shouldn't be doing. I kind of take a whitelist approach to and say, "I'm going to only accept these things." And I have this, I'll call it healthy paranoia that everyone is out there to attack me or attack my website. Not me personally. So that's where I kind of focus a lot on validation to stop these things from happening because I don't want anything bad to happen.

Joel Clermont (03:05):
Yeah. I mean, I think that's a good approach. Especially if it's a mindset you're coming from, it shapes decisions you make and maybe even how you test things. Yeah, I like that.

Aaron Saray (03:15):
Yeah. I try not to take it too far, but I want my data to be secure and clean.

Joel Clermont (03:22):
I mean, I guess maybe I come at it from the other side of it, which is the data. Less paranoia that people are out to get me and more paranoia that people won't type things in the way that I expect that a normal person would type something in. Like, a phone number.

Aaron Saray (03:40):
'Normal person'?

Joel Clermont (03:42):
'Normal person.' Well normal, like they think the same as me. That's where I'm coming from. But validation is something that can save you pain down the road when all of a sudden you have to pull a report or you want to use this data. It's not just a blob of text but now you actually want to send an SMS to that phone number or something like that. And all of a sudden you find out you have 48 different possible ways that people have typed in phone numbers. Some of them are incomplete, some of them have pluses, some of them have parentheses or dashes or dots, or somebody used heart emojis to separate the segments of their phone number. But the point is-

Aaron Saray (04:21):
As I do.

Joel Clermont (04:22):
Yeah, Aaron. I don't want to call you out, but I'm glad you admitted to that. But, yeah, I mean validation when I'm writing rules, a lot of times I'm thinking about that too. Is how can I prevent not just bad data, but even data that's messy or not the expected format? Or preventing somebody from just going nuts and typing something way too long into the name field and throwing an error at the database layer or something like that. Yeah, I see a lot of value in validation for those reasons too. I think we're in agreement that validation, good.

Aaron Saray (04:57):
I mean, this is going to indent me, so maybe don't think about this too much. But I remember one of the very first buffer overflows or exploits that happened in Windows 95 was someone just typed A 23,000 times in the login screen and that took them in.

Joel Clermont (05:17):
Wow.

Aaron Saray (05:18):
I always think about that too. There's so many weird things that we just don't think about.

Joel Clermont (05:23):
Yes, for sure. You and I have worked together on a number of projects and we've kind of developed a way of writing validation. And different teams might choose different standards but I think having a standard, and as a team agreeing what is the right way to write? What is the correct way write validation? Sounded confusing. Maybe we could talk about that a little bit. The first question, where do I put the validation rules? You can maybe think of a few different places you could put it.

Aaron Saray (05:52):
Yeah, I think that's definitely one of them. You know, the format of the rules.

Joel Clermont (05:57):
Sure.

Aaron Saray (05:57):
How in depth you're going to get. There can be, how soon do you want to stop someone in the process? I know that's probably hard to understand, so let me give you an example. If we have a rule that has an N. You have all these N items it can be and they all happen to be numbers, do you also check to make sure that its numeric first and stop them there before you check the N? You know, things like that. Then also do you use bail? Do you stop on just the first error or do you let all the fields validate? All those different things like that are good standards to have too. Because they not only help people write code faster, which is what standards also help you with, they help you review code faster, have less nitpicky things, and give a good user experience.

Joel Clermont (06:52):
Yeah, those are all important things. Just a current example of this. Our standard is to always use the erase in text for rules, even if it's simple. Literally, if it's just required string, yeah, you could do that as pipe-delimited string but we've chosen to always use arrays. And I sort of have internalized that and I don't think about it a lot anymore. But I was dusting off an old code base, looking through some old form requests and I'm like, "Oh, what's wrong with this?" Because it was just different from the way we normally do it. There was this little extra mental overhead and I just immediately didn't like it. Not that any one way is right or wrong, but we've chosen that approach because of some specific benefits. But, yeah, just looking at that other one I had this mental overhead and I'm like, "I can't imagine being on a team where some people are doing it one way and some people are doing it another way." Pole requests and jumping in different sections of the code could get really difficult with all those different styles.

Aaron Saray (07:54):
It's funny you said the right way or the correct way, and then you're like, "Well, maybe not the correct way." It's the correct way for your team and for your-

Joel Clermont (08:02):
Yeah, exactly.

Aaron Saray (08:03):
Well, now when you're talking about correct, I also think about too... Every time I go to the Laravel documentation, there's tons of rules. Which one is the right one to use? Actually what's pretty interesting too is Laravel is constantly evolving and they're adding new rules pretty much, well not every week. But they can happen in the weekly releases or the minor versions.

Joel Clermont (08:31):
Yeah. I mean, that happened fairly recently, right? Within the last several weeks there was that new Prohibited If, and Prohibited Unless rules. Those are probably not ones I've reached for. In fact, I don't think I've even used prohibited. But there was already Exclude If and Exclude Unless, and Required If. It just was adding some symmetry to the code base and somebody had a need for it and saw that itch was scratched and it was added to the docs, it was added to the framework. But, I mean, to your point, unless you're looking at the docs or following a newsfeed, or watching the [PRS 00:09:07], you might not even know about new rules that are available for you to use.

Aaron Saray (09:11):
I think a lot of people are a little, "Validation isn't the most exciting thing."

Joel Clermont (09:15):
No.

Aaron Saray (09:15):
But there are a lot of good reasons to make sure you focus on it. Like you said, yours is you focus a lot on data integrity and I do security. Yeah, you have to keep up to date with that.

Joel Clermont (09:29):
For sure. Keeping up to date, figuring out the right rules. It's no coincidence we're talking about this because we've been working-

Aaron Saray (09:38):
Why Joel?

Joel Clermont (09:40):
We've been working really hard on a really complete reference on the topic of validation, so both a book and some accompanying exercise to help you practice. If you're intrigued by this discussion, make sure to listen to the end. Our final little tidbit will have a URL where you can get more information on the book.

Aaron Saray (10:07):
They say it's not odd.... I mean, it's not very strange there's a one in 12 chance as a man that I'd be colorblind. Let me tell you, I'm pretty colorblind.

Joel Clermont (10:20):
Is there degrees of it?

Aaron Saray (10:21):
Yeah. There's different types of color blindness.

Joel Clermont (10:23):
Okay.

Aaron Saray (10:23):
So I have red-green. There's different shades and hues and it can be worse or not. But invariably what happens is if I mention I'm colorblind to someone, the first thing they do is they find something and they hold it up and they ask me, "What color is this?"

Joel Clermont (10:42):
Okay.

Aaron Saray (10:42):
First of all, that's super annoying, right?

Joel Clermont (10:45):
Mm-Hmm (affirmative).

Aaron Saray (10:45):
It's like, oh, I know what's happening. As soon as I say, "Color blind," you're like, "Oh, what color is this?" I look at it, I'm like, "Well, that's blue." They're like, "No, ha-ha-ha. It's navy blue."

Joel Clermont (10:54):
Oh boy.

Aaron Saray (10:55):
Well, I don't even... Sure, I bet most people get that wrong. Like, when you ask someone, "What color is my shirt?" "Well, it's burnt sienna." No, it's like-

Joel Clermont (11:06):
Very winkled.

Aaron Saray (11:07):
So I got a lot of guff for this when I was growing up. My colorblindness and I'd wear a lot of black. Not because I was some emo kid, but just because, hey, it's a color I can see real well.

Joel Clermont (11:24):
There you go, yeah.

Aaron Saray (11:26):
I was wearing a bunch of sweatshirts. They're all black, different brands. Someone said, "Why don't you get a different colored sweatshirt?" I was like, "Fine." I went to the store and I found a sweatshirt that I really liked, lo and behold it was green. But I was like, "I'm just going to make sure," because I know I'm colorblind and I didn't think to ask someone. But I took it over by the home and garden section and I found a fake plant. I held up the sweatshirt to the fake plant tree leaf and they were the same. I was like, "Yes, green sweatshirt." I bought the sweatshirt and I wore school the next day. Kids are going like, "What? Another black sweatshirt?"
I was like, "What?" Well, turns out I'd grabbed the wrong side of the fake tree leaf. The front was green, the bottom was black and so I'd ended up taking a black one again. Yeah, I've only ran a couple stop lights. I'll tell you what, if you have a stop sign on your property and it's "buy some trees" or bushes and stuff like that, maybe cut those down so people like me who... can see the stop sign I guess.

Joel Clermont (12:46):
Good advice, I'm learning so much. I guess the first thing I'd say, Aaron, though, when they tease you for the black sweatshirt again, you'd be like, "This isn't black, it's charcoal."

Aaron Saray (12:57):
When I go to my high school reunion?

Joel Clermont (13:01):
You have that queued up, ready to go.

Aaron Saray (13:03):
"Remember how you used to pick on me? Well, it's charcoal.

Joel Clermont (13:06):
Yeah. The only thing I can relate to as a color visible person... What's the opposite of colorblind, color seeing?

Aaron Saray (13:18):
Normal.

Joel Clermont (13:19):
When I go to the eye doctor once a year for a checkup, part of what they do is they test your color vision. And I always start panicking towards the end because even though I'm not colorblind, they're so similar. I'm like, "Is that like 27 or is it 26? I can't tell the difference."

Aaron Saray (13:37):
All right. You said something I just totally forgot about. You said towards the end, I get the first one. It's 72 or 76, but after that I can't see any of them.

Joel Clermont (13:47):
All right, fair enough.

Aaron Saray (13:51):
Well, a promises is a promise, Joel. I want to know more about that book.

Joel Clermont (13:55):
I can definitely help with that. If you're interested and want to learn more, head to our website at nocompromises.io/book to find out more.