This article is a comprehensive tutorial on using the Prohibited Validation Rules in Laravel. You will learn how to apply prohibited, prohibited_if, and prohibited_unless with clear explanations, real-life scenarios, and code examples. This guide is perfect for developers who want to master advanced validation techniques in Laravel applications.
Table of contents [Show]
Laravel’s validation system is one of its most powerful features. It ensures that the data entering your application is safe, reliable, and formatted correctly. While most validation rules are about allowing or restricting data formats, Laravel also provides a special set of rules called Prohibited Validation Rules.
These rules are not about requiring a value but instead about explicitly preventing the presence of certain fields. This is useful in scenarios where you want to ensure that some fields are not submitted at all under certain conditions.
In this article, we’ll explore three powerful rules in detail:
Imagine you are building a form where users can either choose one option or another, but not both. Or perhaps, in certain workflows, a field should never be present. Without prohibited rules, developers often relied on custom validation logic.
Laravel’s prohibited rules solve this cleanly, making your validation logic shorter, more expressive, and easier to maintain.
Some real-world examples include:
prohibited RuleThe prohibited rule disallows the presence of a field entirely. If a field is submitted with any value (even empty), validation will fail.
// In a controller or FormRequest
$request->validate([
'admin' => 'prohibited',
]);
In this case, if the request contains an admin field, validation will fail regardless of its value.
Let’s say you have a public registration form. You want to ensure no one can submit an admin flag while signing up.
// RegistrationController.php
public function register(Request $request)
{
$request->validate([
'name' => 'required|string|max:255',
'email' => 'required|email|unique:users',
'password' => 'required|min:8',
'admin' => 'prohibited',
]);
User::create($request->only(['name', 'email', 'password']));
}
This prevents malicious users from trying to give themselves admin privileges through hidden form fields.
prohibited_if RuleThe prohibited_if rule prohibits a field if another field has a given value. This is useful for mutually exclusive options.
'field_name' => 'prohibited_if:another_field,value'
$request->validate([
'discount_code' => 'prohibited_if:membership,premium',
]);
Here, if the membership field equals premium, then discount_code is not allowed.
Consider an e-commerce checkout form:
public function checkout(Request $request)
{
$request->validate([
'membership' => 'required|in:basic,premium',
'discount_code' => 'nullable|string|prohibited_if:membership,premium',
]);
// Process checkout
}
This ensures that premium users cannot submit a discount code.
prohibited_unless RuleThe prohibited_unless rule disallows a field unless another field has a specific value.
'field_name' => 'prohibited_unless:another_field,value'
$request->validate([
'vip_code' => 'prohibited_unless:membership,vip',
]);
Here, the vip_code field is prohibited unless membership equals vip.
public function apply(Request $request)
{
$request->validate([
'membership' => 'required|in:basic,vip',
'vip_code' => 'nullable|string|prohibited_unless:membership,vip',
]);
// Logic here
}
This ensures that only VIP members can submit a VIP code.
| Rule | Behavior | Example Scenario |
|---|---|---|
prohibited | Always disallows a field if present | Prevent users from submitting hidden admin flag |
prohibited_if | Disallows field if another field has a given value | No discount code if membership is premium |
prohibited_unless | Disallows field unless another field has a given value | VIP code only allowed if membership is VIP |
For cleaner code, you can use Form Request classes instead of inline validation.
php artisan make:request CheckoutRequest
In CheckoutRequest.php:
public function rules()
{
return [
'membership' => 'required|in:basic,premium,vip',
'discount_code' => 'prohibited_if:membership,premium',
'vip_code' => 'prohibited_unless:membership,vip',
];
}
This makes your controller code much cleaner and centralizes validation logic.
You can combine prohibited rules with other rules, though keep in mind that prohibited always takes priority if triggered.
$request->validate([
'vip_code' => 'nullable|string|min:5|prohibited_unless:membership,vip',
]);
If membership is not VIP, the field is prohibited. If it is VIP, then vip_code must be a string with a minimum length of 5.
By default, Laravel generates messages like:
The admin field is prohibited.The discount code field is prohibited when membership is premium.The vip code field is prohibited unless membership is vip.You can customize these in your resources/lang/en/validation.php file.
'prohibited' => 'The :attribute field is not allowed.',
'prohibited_if' => 'The :attribute field is not allowed when :other is :value.',
'prohibited_unless' => 'The :attribute field is not allowed unless :other is :value.',
prohibited for security-sensitive fields (e.g., admin, is_superuser).prohibited_if when enforcing mutual exclusivity between fields.prohibited_unless to restrict fields to specific roles or options.FormRequest for cleaner controllers.Laravel’s Prohibited Validation Rules offer a powerful way to enforce data restrictions beyond just requiring or formatting fields. Whether you want to prevent unauthorized fields, enforce mutual exclusivity, or ensure a field only appears under certain conditions, these rules give you expressive tools right out of the box.
By mastering prohibited, prohibited_if, and prohibited_unless, you can secure your application, simplify validation logic, and create cleaner forms for your users.
This detailed tutorial explores request validation in Laravel controllers. You’ll learn multiple techniques—basic controller validation, using form request classes, custom rules, conditional validation, error handling, localization, and best practices. With practical examples, code snippets, and structured explanations, this article is designed for beginners to advance learner.
This guide teaches you how to deploy Laravel applications to production servers. From preparing your environment and configuring Nginx or Apache, to database migrations, caching, performance optimization, CI/CD pipelines, and security practices—this article covers everything step by step.It’s suitable for both beginners and advanced developers who want to ship stable, secure & scalable app.
This guide will take you deep into testing in Laravel using both PHPUnit and Pest. You will learn step by step how to set up testing, write unit and feature tests, test APIs, and follow test-driven development (TDD) principles. Complete with code examples, actionable instructions, and best practices, this guide is designed to make you professional in testing.
