Laravel Version
13.5.0
PHP Version
8.4.18
Database Driver & Version
No database interaction required for reproduction
Description
Enabling FormRequest::failOnUnknownFields() also rejects query string parameters as unknown fields.
In particular, I could reproduce this with:
pageperPageexpiressignature
This affects both normal list endpoints and Laravel signed URLs.
If this behavior is intended, the documentation should explicitly mention that failOnUnknownFields() applies to the full request input, including query string parameters and signed URL parameters.
For example, an Inertia response may contain:
{
"props": {
"errors": {
"page": "The page field is prohibited.",
"perPage": "The perPage field is prohibited."
}
}
}Steps To Reproduce
- Enable unknown field rejection globally:
<?php
declare(strict_types=1);
namespace App\Providers;
use Illuminate\Foundation\Http\FormRequest;
use Illuminate\Support\ServiceProvider;
final class AppServiceProvider extends ServiceProvider
{
public function boot(): void
{
FormRequest::failOnUnknownFields();
}
}
- Use a
FormRequest with no query-related rules:
<?php
declare(strict_types=1);
namespace App\Http\Requests;
use Illuminate\Foundation\Http\FormRequest;
final class ExampleRequest extends FormRequest
{
public function authorize(): bool
{
return true;
}
public function rules(): array
{
return [];
}
}
- Use that request on a GET route.
- Call the endpoint with:
GET /example?page=1&perPage=5
- Also try a signed route using:
URL::temporarySignedRoute('example.signed', now()->addMinutes(5));Expected Behavior
At minimum, the documentation should clearly state that failOnUnknownFields() also affects query string parameters, including:
- pagination parameters like
page and perPage
- signed URL parameters like
expires and signature
Actual Behavior
The request fails validation because those query parameters are treated as unknown fields.
Observed errors include:
The page field is prohibited.The perPage field is prohibited.The expires field is prohibited.The signature field is prohibited.
I also confirmed that explicitly declaring expires and signature in the request rules makes the signed URL pass, so that appears to be the currently required behavior.
Additional Context
This is easy to run into on normal index endpoints and signed URL flows, and it was not obvious to me from the feature name alone that these query parameters would be included.
Laravel Version
13.5.0
PHP Version
8.4.18
Database Driver & Version
No database interaction required for reproduction
Description
Enabling
FormRequest::failOnUnknownFields()also rejects query string parameters as unknown fields.In particular, I could reproduce this with:
pageperPageexpiressignatureThis affects both normal list endpoints and Laravel signed URLs.
If this behavior is intended, the documentation should explicitly mention that
failOnUnknownFields()applies to the full request input, including query string parameters and signed URL parameters.For example, an Inertia response may contain:
{ "props": { "errors": { "page": "The page field is prohibited.", "perPage": "The perPage field is prohibited." } } }Steps To Reproduce
FormRequestwith no query-related rules:Expected Behavior
At minimum, the documentation should clearly state that
failOnUnknownFields()also affects query string parameters, including:pageandperPageexpiresandsignatureActual Behavior
The request fails validation because those query parameters are treated as unknown fields.
Observed errors include:
The page field is prohibited.The perPage field is prohibited.The expires field is prohibited.The signature field is prohibited.I also confirmed that explicitly declaring
expiresandsignaturein the request rules makes the signed URL pass, so that appears to be the currently required behavior.Additional Context
This is easy to run into on normal index endpoints and signed URL flows, and it was not obvious to me from the feature name alone that these query parameters would be included.