Documentation

Request & Validation

Access incoming data safely and validate payloads quickly using HexPHP's built-in Request and Validator engines.

The Request Object

The \App\Core\Request class provides a static interface allowing you to easily read HTTP parameters seamlessly without manually digging into $_POST or $_GET. 

<?php
use App\Core\Request;

// Retrieve all incoming parameters (GET & POST merged)
$data = Request::all();

// Retrieve a specific key, with an optional default fallback
$email = Request::input('email', 'no-reply@domain.com');

// Check if a parameter exists
if (Request::has('password')) { ... }

// Grab strictly defined keys
$credentials = Request::only(['email', 'password']);

The Validator Engine

Validate associative arrays strictly with zero bloated dependencies using the \App\Core\Validator engine. 

<?php
use App\Core\Request;
use App\Core\Validator;

$payload = Request::all();

// Enforce rules piped by a | character
$errors = Validator::make($payload, [
    'email'    => 'required|email',
    'password' => 'required|min:8|max:20'
]);

if (!empty($errors)) {
    // The $errors array maps rule violations to the field name.
    // e.g. $errors['email'][0] === 'The email field must be a valid email address.'
    print_r($errors);
    exit;
}
Available Rules
  • required - Fails if field is missing, null, or empty string.
  • email - Enforces native PHP filter verification.
  • min:X - Minimum string character length.
  • max:X - Maximum string character length.

CSRF Protection Middleware

Combining the new Request pipeline with Middleware, HexPHP ships with a native VerifyCsrfToken middleware specifically built to protect state-changing requests (POST, PUT, DELETE).

Because HTMX is permanently instructed by \App\Core\System::scripts() to automatically include your session's cryptographically-locked CSRF token as an X-CSRF-Token HTTP Header, you just have to add the middleware to your route array: 

// config/routes.php

// This endpoint is automatically protected against Cross-Site Request Forgery!
Router::post('/submit-form', ['FormController', 'store'], ['VerifyCsrfToken']);