A laravel middleware to sanitize the incoming Http request parameters.

Laravel provides one of the best mechanisms to filter your incoming HTTP request parameters. In this blog, we will build one such middleware where you will be able to create a middleware which will sanitize all your HTTP request parameters. Imagine calling functions like trim() and strip_tags(), every time you inject your parameters in the query. Wouldn’t it be great if a middleware does this job and you don’t have to worry about it anymore? Let’s get started. But before we start building a middleware, let’s go through a brief explanation of what middleware is and how does it work.

When you hit a URL, your laravel application will process that request via middleware where it will perform certain actions like if the user is authenticated or not and after that it will return the correct response. Our middleware will do the same. When HTTP request will come, the middleware will process it and sanitize it and then return the response to pass it on the next middleware. Laravel has divided middlewares into two categories:

Global Middleware: Middlewares defined in this category will be executed for all HTTP requests.

Route Middleware: Middlewares defined in this category will be executed for the specific routes.

Before we dive into constructing middleware, I am assuming you have an installation of laravel project in your local.

To create a middleware please run the following command:

php artisan make:middleware StripTagsFromIncomingRequest

This will create a middleware in your App/Http/Middleware directory.

Now we will extend the src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php to our middleware like this class StripTagsFromIncomingRequest extends TransformsRequest. The main reason to do this is that the TransformRequest has functions which also helps to clean our request parameters. Now we will override the transform() function which will contain our code to sanitize the request. Add this function in your middleware file:

protected function transform($key, $value)
{
    return is_string($value) && $value !== '' ? strip_tags($value) :  $value;
}

I have used strip_tags to remove all the PHP tags. This function is your playground and you can use all the different type of logics and functions to sanitize your request parameters.

Now, one thing to notice here is that this function will remove all your special characters, HTML tags etc depending on the logic you write. But now what if the request with a password or confirm password comes? What will happen then? Your password will also get stripped down. To avoid this we will add one tweak in the code. First, we will declare a member variable like $except and this will contain a value of arrays. See below:

protected $except = [
    'password',
    'password_confirmation'
];

The $except will contain the name of fields which we don't want to get trimmed, stripped etc. After that change the transform function to this:

protected function transform($key, $value)
{
    if (in_array($key, $this->except, true)) {
        return $value;
    }

    return is_string($value) && $value !== '' ? strip_tags($value) : $value;
}

As you can see we have added an if condition which will check the name of the field which is present in the $except array, if yes then will return the same value without performing any sanitizing logic on it. Thus saving your fields from being sanitized which don't need it.

Our middleware is ready now and only one thing is pending which is to add your middleware class in the middleware file. Open Kernel.php in app/Http/Kernel.php. Here you can see there are three arrays of middleware. Let me explain them and that will help you to decide in which group you want to keep your middleware.

$middleware: The middleware placed in this array will run on your every request of your application.

$middlewareGroups: This middleware has nested arrays like ‘web’, ‘api’ etc. if you keep your middleware in anyone of these nested arrays then the middleware will run for that particular group of routes only.

$routeMiddleware: If you add your middleware in this group then you will have to give a naming index to it. Now, after naming index, this index will work as identifier in your route middleware array.

Add your middleware in any of these routes and your middleware is up and running.

I hope this article will help you to understand and build middleware of your own for your application. Please let me know in comments for mistakes/improvements/suggestions.