Where should form validation occur in a MVC project?

Question

I'm using Kohana, but I think this question is more general.

I have been doing form validation in the controller, and it has worked well so far. But lately, I've ran into a problem.

I have a comments model, and I send comments from a few different controllers to it. Instead of having a validator in every controller, I placed it in the model.

This is great because

• Only one place to change/add validation rules (DRY)

This sucks because

• I obviously need to return a success or failure to the controller, and Kohana's validation library returns errors as an array. So my return looks like this

ON SUCCESS

array('success' => true);

ON FAIL

array('success' => false, $errors);

I can't help but think this is wrong. It feels wrong.

If I do it in the controller, I can simply do

if ($post->validate()) {
     doWhatever();
} else {
     $this->template->formErrors = $post->errors('form_errors');
}

Which seems better (to me).

Is there a better way to do this? Should I validate in the controller or method? Am I going crazy?

Answer 1

I prefer to not repeat myself over feelings, do the method. Besides the array is handy since you can show the errors from the array in a view if you wanted. I have not used kohana, but the validation method I have been using in ASP.NET MVC provides me with a similar list and I can then show the user what precisely is wrong.

Answer 2

I honestly don't see anything wrong with your method, alex. It seems like you're doing it properly. You're following the DRY principle, which for me is usually the yardstick to measure if I'm doing something right when it comes to MVC.

Answer 3

You should always (if you can) validate on client (JS). And since that can be bypassed - you validate on server as well. And yes - putting your validation to some reusable form is great idea

Answer 4

Fat models. Small controllers. That's the way I always did it. Validation to me is at the data layer. The data layer (to me, at least) is the model. I normally use CakePHP as my MVC framework... Maybe that's why my validation is at the model. It's CakePHP's way.

Answer 5

Not saying that it is THE only way, but I prefer using the Model. Follow DRY and keep controllers should be skinny. If the "return" issue your biggest gripe, might I suggest that your validation throw an Exception on validation error?

try {
    $p->validate();
} catch(Exception e) {
    //handle error however you like
    echo $e->getMessage();
}

Answer 6

I do validation in the model too. Most modeling libs like ORM, Auto_Modeler etc. also support validation. BTW it's faster if you ask on the #kohana channel on FreeNode (irc.freenode.net). We (usually) don't bite :)

Answer 7

i don't think all validation rules can go inside the model. validation it's all about the form (or the API). the fact is that when you are going to validate your data, most of the things depends from the context.

for example, is this a logged user taking the action ? you won't couple your authentication layer with the model being validate. so, all the cheks must go inside the controller. the model is context agnostic, the form "belongs" to the controller and is context aware.

i think that having per form validation rules plus basic in-model checks for well formed data is the way to go. if you're calling Auth::instance() or Session::instance() inside your model validate() function, then you're doing it wrong.