These tips mention validation a lot. We even have a whole book on the topic.
One area I haven't written a tip about yet is validating input to Artisan commands.
I've heard some arguments that commands are either scheduled with predictable inputs or run manually by trusted developers, therefore validation isn't important.
Before I take that argument apart, let's set up a concrete example.
In this repo, I have a command that compiles a date range of tips into a printable book. That command requires a date range and a volume number which are used when generating the final PDF volume:
php artisan tips:create-book 2026-01-01 2026-03-31 1
Ok, so with that example established, is this worth validating?
I say yes! I'm a developer, and I'm not going to maliciously feed this command values to try to exploit the system, but I can make mistakes. Perhaps the bad data causes the command to crash, or even worse, maybe I typo a date and miss a couple tips from that quarter's volume.
And these days, I think there's an additional argument to consider: a coding agent might be the one running the command on my behalf.
I point it at a task, it discovers the command, and it calls it with whatever arguments it decides are correct.
So the old excuse of "only trusted devs run this" no longer holds. The command is now part of a surface an LLM can reach, and it deserves the same rigor I would give a controller action.
The one wrinkle is that a command doesn't have a FormRequest or other nice conveniences the framework enables in a controller.
I have to invoke the Validator class directly and then manually handle a failing result.
It's slightly less convenient, but I still think it's worth doing.
And in a future tip, I'm going to share some ideas I've been playing around with to make validation feel more like a first-class feature of Artisan commands.
Here to help,
Joel
P.S. Want to see the output of this command we just discussed? Grab the latest tips volume.
