---
title: Use Form Request Classes for Validation
impact: HIGH
impactDescription: keeps controllers thin, centralizes validation logic and authorization, enables reuse
tags: validation, form-request, controller, laravel, clean-architecture
---

## Use Form Request Classes for Validation

Putting `$request->validate()` directly in controller actions mixes concerns, prevents reuse, and inflates controllers. Form Requests encapsulate validation + authorization as a dedicated class.

**Wrong:**

```php
// Controller bloated with validation logic
public function store(Request $request)
{
    $request->validate([
        'name'  => 'required|string|max:255',
        'email' => 'required|email|unique:users',
        'age'   => 'required|integer|min:18',
    ]);

    User::create($request->all());
}
```

**Correct:**

```bash
# Generate a Form Request
php artisan make:request StoreUserRequest
```

```php
// app/Http/Requests/StoreUserRequest.php
class StoreUserRequest extends FormRequest
{
    public function authorize(): bool
    {
        return $this->user()->can('create', User::class);
    }

    public function rules(): array
    {
        return [
            'name'  => 'required|string|max:255',
            'email' => 'required|email|unique:users',
            'age'   => 'required|integer|min:18',
        ];
    }
}

// Controller is now thin
public function store(StoreUserRequest $request)
{
    User::create($request->validated()); // never $request->all()
}
```

**Key points:**
- Always use `$request->validated()` not `$request->all()` — only returns fields that passed validation
- Authorization logic belongs in `authorize()`, not the controller
- One Form Request per action (StoreUserRequest, UpdateUserRequest are separate)
