PHPackages                             frostybee/valicomb - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Validation &amp; Sanitization](/categories/validation)
4. /
5. frostybee/valicomb

ActiveLibrary[Validation &amp; Sanitization](/categories/validation)

frostybee/valicomb
==================

Modern, type-safe PHP validation library for PHP 8.2+ with security-first design and zero dependencies. This is a fork of vlucas/valitron.

v1.2.0(5mo ago)12247[1 issues](https://github.com/frostybee/valicomb/issues)BSD-3-ClausePHPPHP &gt;=8.2CI passing

Since Nov 16Pushed 3mo agoCompare

[ Source](https://github.com/frostybee/valicomb)[ Packagist](https://packagist.org/packages/frostybee/valicomb)[ Docs](https://github.com/frostybee/valicomb)[ RSS](/packages/frostybee-valicomb/feed)WikiDiscussions main Synced today

READMEChangelog (3)Dependencies (3)Versions (5)Used By (0)

 [![Valicomb](valicomb-icon.svg)](valicomb-icon.svg)

Valicomb
========

[](#valicomb)

**Simple, Modern PHP Validation**

 [![PHP Version](https://camo.githubusercontent.com/c5e8da782b1a0673c08b4f474108036d2cc973470eed2d5d89d48e8c8475eee6/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7068702d253345253344382e322d626c75652e737667)](https://php.net/) [![License](https://camo.githubusercontent.com/3330c5849986f248a756c19d133401d05b0d249148b7d41eeb6648cebe21136c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4253442d2d332d2d436c617573652d677265656e2e737667)](LICENSE) [![Documentation](https://camo.githubusercontent.com/af4d48746468364b7fa11ef0510c306b0f328c79ec10eeaa2f9eef0cf906c007/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f646f63732d6f6e6c696e652d6f72616e67652e737667)](https://frostybee.github.io/valicomb/)

**Valicomb** is a simple, minimal PHP validation library with **zero dependencies**. A modernized fork of [vlucas/valitron](https://github.com/vlucas/valitron) for PHP 8.2+ with security-first design, strict type safety, and modern PHP features.

Features
--------

[](#features)

- **Modern PHP 8.2+ support** with strict types turned on, so everything is fully typed and predictable.
- **Security-first approach** that helps guard against things like ReDoS, type juggling issues, path traversal, and similar problems.
- **Thoroughly tested**, with over 430 tests making sure things behave the way they should.
- **No external dependencies**, other than the standard `ext-mbstring` extension.
- **Clean and straightforward API** that's easy to read and chain together.
- **Built-in i18n support**, offering 33 languages out of the box.
- **54 ready-to-use validation rules** covering the most common validation needs.
- **Easy to extend**, so you can add your own custom validation rules when needed.
- **Clean, modern codebase**, fully passing PHPStan Level 8 checks.

Requirements
------------

[](#requirements)

- PHP 8.2 or higher
- `ext-mbstring` extension

Installation
------------

[](#installation)

Install via Composer:

```
composer require frostybee/valicomb
```

Quick Start
-----------

[](#quick-start)

```
use Frostybee\Valicomb\Validator;

// Create validator with data
$v = new Validator([
    'username' => 'frostybee',
    'email'    => 'bee@example.com',
    'password' => 'Secret123!'
]);

// Define rules by field
$v->forFields([
    'username' => ['required', ['lengthBetween', 3, 20]],
    'email'    => ['required', 'email'],
    'password' => ['required', ['lengthMin', 8]]
]);

if ($v->validate()) {
    echo "Validation passed!";
} else {
    print_r($v->errors());
}
```

Reusing Validators
------------------

[](#reusing-validators)

Define validation rules once, then validate multiple datasets with `withData()`:

```
use Frostybee\Valicomb\Validator;

$baseValidator = new Validator([]);
$baseValidator->rule('required', 'email')->rule('email', 'email');

// Validate different datasets
$v1 = $baseValidator->withData(['email' => 'user1@example.com']);
$v1->validate(); // true

$v2 = $baseValidator->withData(['email' => 'invalid']);
$v2->validate(); // false
```

This is useful for form validation, API endpoints, and batch processing where the same rules apply to different data.

Built-in Validation Rules
-------------------------

[](#built-in-validation-rules)

**For detailed usage examples of each rule, see the [documentation](https://frostybee.github.io/valicomb/rules/overview/)**

### String Validators

[](#string-validators)

- `required` - Field is required
- `alpha` - Alphabetic characters only
- `alphaNum` - Alphabetic and numeric characters only
- `ascii` - ASCII characters only
- `slug` - URL slug characters (a-z, 0-9, -, \_)
- `email` - Valid email address
- `emailDNS` - Valid email address with active DNS record
- `contains` - Field is a string and contains the given string
- `regex` - Field matches given regex pattern
- `startsWith` - Field starts with the given string
- `endsWith` - Field ends with the given string
- `uuid` - Field is a valid UUID (supports versions 1-5)
- `passwordStrength` - Field meets password strength requirements

### Numeric Validators

[](#numeric-validators)

- `integer` - Must be integer number
- `numeric` - Must be numeric
- `min` - Minimum value
- `max` - Maximum value
- `between` - Value must be between min and max
- `positive` - Must be a positive number (greater than zero)
- `decimalPlaces` - Must have specified number of decimal places

### Length Validators

[](#length-validators)

- `length` - String must be certain length
- `lengthBetween` - String must be between given lengths
- `lengthMin` - String must be greater than given length
- `lengthMax` - String must be less than given length

### URL/Network Validators

[](#urlnetwork-validators)

- `url` - Valid URL
- `urlActive` - Valid URL with active DNS record
- `urlStrict` - Valid URL with strict validation
- `phone` - Valid phone number format

### Array Validators

[](#array-validators)

- `array` - Must be array
- `in` - Performs in\_array check on given array values
- `notIn` - Negation of `in` rule (not in array of values)
- `listContains` - Performs in\_array check on given array values (the other way round than `in`)
- `subset` - Field is an array or a scalar and all elements are contained in the given array
- `containsUnique` - Field is an array and contains unique values
- `arrayHasKeys` - Field is an array and contains all specified keys

### Date Validators

[](#date-validators)

- `date` - Field is a valid date
- `dateFormat` - Field is a valid date in the given format
- `dateBefore` - Field is a valid date and is before the given date
- `dateAfter` - Field is a valid date and is after the given date
- `past` - Field is a valid date in the past
- `future` - Field is a valid date in the future

### Comparison Validators

[](#comparison-validators)

- `equals` - Field must match another field (email/password confirmation)
- `different` - Field must be different than another field

### Type Validators

[](#type-validators)

- `boolean` - Must be boolean
- `ip` - Valid IP address
- `ipv4` - Valid IP v4 address
- `ipv6` - Valid IP v6 address
- `creditCard` - Field is a valid credit card number
- `instanceOf` - Field contains an instance of the given class

### Conditional Validators

[](#conditional-validators)

- `optional` - Value does not need to be included in data array. If it is however, it must pass validation.
- `nullable` - Field can be null; if null, other validation rules are skipped
- `accepted` - Checkbox or Radio must be accepted (yes, on, 1, true)
- `requiredWith` - Field is required if any other fields are present
- `requiredWithout` - Field is required if any other fields are NOT present

**NOTE**: If you are comparing floating-point numbers with min/max validators, you should install the [BCMath](http://us3.php.net/manual/en/book.bc.php) extension for greater accuracy and reliability. The extension is not required for Valicomb to work, but Valicomb will use it if available, and it is highly recommended.

Usage Examples
--------------

[](#usage-examples)

### Defining Validation Rules

[](#defining-validation-rules)

Valicomb provides four flexible ways to define validation rules:

#### 1. Field-based array (recommended)

[](#1-field-based-array-recommended)

Group rules by field - reads naturally as "for this field, apply these rules":

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);
$v->forFields([
    'name' => ['required', ['lengthMin', 2]],
    'email' => ['required', 'email', ['lengthMax', 254]]
]);
```

#### 2. Fluent/Chained syntax (best for custom messages)

[](#2-fluentchained-syntax-best-for-custom-messages)

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);
$v->rule('required', 'email')
  ->rule('email', 'email')
  ->rule('lengthMin', 'email', 5);
```

#### 3. Rule-based array (best when applying the same rule to many fields)

[](#3-rule-based-array-best-when-applying-the-same-rule-to-many-fields)

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);
$v->rules([
    'required' => ['name', 'email'],
    'email' => 'email',
    'lengthBetween' => [
        ['name', 1, 100],
        ['bio', 10, 500]
    ]
]);
```

#### 4. Fluent Field Builder (IDE autocomplete)

[](#4-fluent-field-builder-ide-autocomplete)

Chain validation methods directly on fields with full IDE autocomplete support:

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);

$v->field('email')
    ->required()
    ->email()
    ->lengthMax(254);

$v->field('password')
    ->required()
    ->lengthMin(8);
```

Add custom messages and labels inline:

```
$v->field('email')
    ->label('Email Address')
    ->required()->message('We need your email')
    ->email()->message('Please enter a valid email');
```

### Field Labels

[](#field-labels)

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);
$v->labels([
    'email' => 'Email Address',
    'password' => 'Password'
]);
```

### Custom Validation Rules

[](#custom-validation-rules)

```
use Frostybee\Valicomb\Validator;

$v = new Validator(['username' => 'admin']);

// Closure-based rule
$v->rule(function($field, $value, $params, $fields) {
    return $value !== 'admin';
}, 'username')->message('Username cannot be "admin"');

// Register global custom rule
Validator::addRule('strongPassword', function($field, $value, $params) {
    return preg_match('/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$/', $value);
}, 'Password must be at least 8 characters with uppercase, lowercase, and number');
```

### Stop on First Failure

[](#stop-on-first-failure)

By default, validation continues checking all rules even after encountering failures. You can configure the validator to stop the validation process as soon as the first failure occurs, which can improve performance when validating large datasets.

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);
$v->stopOnFirstFail(true);
$v->rule('required', ['email', 'password']);
$v->rule('email', 'email');
```

### Form Data Handling

[](#form-data-handling)

Valicomb properly handles form data where all values come as strings:

```
use Frostybee\Valicomb\Validator;

// $_POST data - everything is strings
$_POST = [
    'age' => '25',      // String, not int
    'price' => '19.99', // String, not float
    'active' => '1'     // String, not bool
];

$v = new Validator($_POST);
$v->rule('integer', 'age');   // Works with string '25'
$v->rule('numeric', 'price'); // Works with string '19.99'
$v->rule('boolean', 'active'); // Works with string '1'
```

### Nested Field Validation

[](#nested-field-validation)

```
use Frostybee\Valicomb\Validator;

$data = [
    'user' => [
        'email' => 'test@example.com',
        'profile' => [
            'age' => 25
        ]
    ]
];

$v = new Validator($data);
$v->rule('email', 'user.email');
$v->rule('integer', 'user.profile.age');
```

### Array Field Validation

[](#array-field-validation)

```
use Frostybee\Valicomb\Validator;

$data = [
    'users' => [
        ['email' => 'user1@example.com'],
        ['email' => 'user2@example.com']
    ]
];

$v = new Validator($data);
$v->rule('email', 'users.*.email'); // Validates all emails
```

### List Contains Validation

[](#list-contains-validation)

Check if an array field contains a specific value:

```
use Frostybee\Valicomb\Validator;

// Check if tags array contains 'php'
$v = new Validator(['tags' => ['php', 'javascript', 'python']]);
$v->rule('listContains', 'tags', 'php'); // true

// Strict type checking
$v = new Validator(['ids' => [1, 2, 3]]);
$v->rule('listContains', 'ids', '1', true); // false (strict: string !== int)

// For associative arrays, checks keys not values
$v = new Validator(['data' => ['name' => 'John', 'email' => 'john@example.com']]);
$v->rule('listContains', 'data', 'name'); // true (checks keys)
$v->rule('listContains', 'data', 'John'); // false (doesn't check values)
```

Security Features
-----------------

[](#security-features)

### ReDoS Protection

[](#redos-protection)

Regular expression validation includes automatic protection against catastrophic backtracking:

```
use Frostybee\Valicomb\Validator;

$v = new Validator(['field' => 'aaaaaaaaaaaa!']);
$v->rule('regex', 'field', '/^(a+)+$/'); // Throws RuntimeException on ReDoS pattern
```

### Type Juggling Prevention

[](#type-juggling-prevention)

All comparisons use strict equality (`===`) to prevent type juggling attacks:

```
use Frostybee\Valicomb\Validator;

$v = new Validator([
    'field1' => '0e123456',
    'field2' => '0e789012'
]);
$v->rule('equals', 'field1', 'field2'); // Returns false (strict comparison)
```

### URL Prefix Validation

[](#url-prefix-validation)

URL validation uses proper prefix checking to prevent bypass attacks:

```
use Frostybee\Valicomb\Validator;

// FAIL - http:// not at start
$v = new Validator(['url' => 'evil.com?redirect=http://trusted.com']);
$v->rule('url', 'url'); // Returns false

// PASS - proper URL
$v = new Validator(['url' => 'http://trusted.com']);
$v->rule('url', 'url'); // Returns true
```

### Path Traversal Protection

[](#path-traversal-protection)

Language loading validates against directory traversal:

```
use Frostybee\Valicomb\Validator;

// Blocked - invalid language
new Validator([], [], '../../etc/passwd'); // Throws InvalidArgumentException
```

### Email Security

[](#email-security)

Email validation includes:

- RFC 5321 length limits (254 chars total, 64 local, 255 domain)
- Dangerous character rejection
- Proper validation against injection attacks

### Integer Validation

[](#integer-validation)

Fixed regex properly validates all integers, not just single digits:

```
use Frostybee\Valicomb\Validator;

$v = new Validator(['num' => '1000']);
$v->rule('integer', 'num', true); // Works correctly (strict mode)
```

Internationalization
--------------------

[](#internationalization)

Valicomb supports 33 languages out of the box:

```
use Frostybee\Valicomb\Validator;

// Set default language
Validator::lang('es'); // Spanish

// Or per-instance
$v = new Validator($data, [], 'fr'); // French
```

Available languages: ar, az, bg, cs, da, de, el, en, es, fa, fi, fr, hu, id, it, ja, ko, lt, lv, nb, nl, nn, no, pl, pt, pt-br, ro, ru, sk, sl, sv, th, tr, uk, vi, zh-cn, zh-tw

Advanced Features
-----------------

[](#advanced-features)

### Conditional Validation

[](#conditional-validation)

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);

// Required only if other field is present
$v->rule('requiredWith', 'billing_address', ['same_as_shipping']);

// Required only if other field is absent
$v->rule('requiredWithout', 'phone', ['email']);
```

### Optional Fields

[](#optional-fields)

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);
$v->rule('optional', 'middle_name');
$v->rule('alpha', 'middle_name'); // Only validated if present
```

### Credit Card Validation

[](#credit-card-validation)

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);

// Any valid card
$v->rule('creditCard', 'card_number');

// Specific card type
$v->rule('creditCard', 'card_number', 'visa');

// Multiple allowed types
$v->rule('creditCard', 'card_number', ['visa', 'mastercard']);
```

### Instance Validation

[](#instance-validation)

```
use Frostybee\Valicomb\Validator;

$v = new Validator(['date' => new DateTime()]);
$v->rule('instanceOf', 'date', DateTime::class);
```

Error Handling
--------------

[](#error-handling)

### Get All Errors

[](#get-all-errors)

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);
$v->rule('required', 'email');
$v->rule('integer', 'age');

if (!$v->validate()) {
    $errors = $v->errors();
    // [
    //     'email' => ['Email is required', 'Email is not a valid email address'],
    //     'age' => ['Age must be an integer']
    // ]
}
```

### Get Errors for Specific Field

[](#get-errors-for-specific-field)

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);
$v->rule('required', 'email')->rule('email', 'email');
$v->validate();

$emailErrors = $v->errors('email');
// ['Email is required', 'Email is not a valid email address']
```

### Custom Error Messages

[](#custom-error-messages)

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);
$v->rule('required', 'email')->message('We need your email!');
$v->rule('email', 'email')->message('That doesn\'t look like a valid email');
```

### Message Placeholders

[](#message-placeholders)

```
use Frostybee\Valicomb\Validator;

$v = new Validator($_POST);
$v->rule('lengthBetween', 'username', 3, 20)
  ->message('Username must be between {0} and {1} characters');
```

🙏 Credits
---------

[](#-credits)

Originally created by [Vance Lucas](https://www.vancelucas.com/)

Modernized for PHP 8.2+ with security enhancements and strict type safety.

Support
-------

[](#support)

- **GitHub Issues**: [Report bugs or request features](https://github.com/frostybee/valicomb/issues)
- **Stack Overflow**: Tag your questions with `valicomb` or `php-validation`

Contributing
------------

[](#contributing)

Contributions are welcome! Please ensure:

1. Fork the repository
2. Create your feature branch (`git checkout -b my-new-feature`)
3. Make your changes
4. Run all quality checks (`composer check-all`)
5. Code follows PSR-12 standards (`composer cs-fix`)
6. All tests pass (`composer test`)
7. PHPStan analysis passes (`composer analyse`)
8. Add tests for new features
9. Commit your changes (`git commit -am 'Add some feature'`)
10. Push to the branch (`git push origin my-new-feature`)
11. Create a Pull Request

Testing &amp; Development Workflow
----------------------------------

[](#testing--development-workflow)

```
# Before committing
composer check-all

# Individual checks
composer test              # Run PHPUnit test suite
composer analyse           # Run PHPStan static analysis (Level 8)
composer cs-check          # Check code style (PSR-12)

# Fix any issues
composer cs-fix

# Verify fixes
composer check-all
```

### Additional Commands

[](#additional-commands)

- `composer benchmark` - Run performance benchmarks
- `composer validate` - Validate composer.json syntax
- `composer audit` - Check for security vulnerabilities

Security
--------

[](#security)

To report a security vulnerability, please create a private security advisory on GitHub or email the maintainer directly. Do not create public issues for security vulnerabilities.

License
-------

[](#license)

Valicomb is open-source software licensed under the [BSD 3-Clause License](LICENSE).

###  Health Score

41

—

FairBetter than 87% of packages

Maintenance74

Regular maintenance activity

Popularity22

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity51

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~18 days

Total

4

Last Release

173d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/ca21d8b863eb84452bbf22c312ae3d18e4da2461becbdbd58f046e15d18095cb?d=identicon)[frostybee](/maintainers/frostybee)

---

Top Contributors

[![frostybee](https://avatars.githubusercontent.com/u/805978?v=4)](https://github.com/frostybee "frostybee (37 commits)")

---

Tags

phpphp-validationvalidationvalidatorvalidatorvalidationsecurityphp8type-safevalidvalicomb

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/frostybee-valicomb/health.svg)

```
[![Health](https://phpackages.com/badges/frostybee-valicomb/health.svg)](https://phpackages.com/packages/frostybee-valicomb)
```

###  Alternatives

[vlucas/valitron

Simple, elegant, stand-alone validation library with NO dependencies

1.7k4.6M140](/packages/vlucas-valitron)[wixel/gump

A fast, extensible &amp; stand-alone PHP input validation class that allows you to validate any data.

1.2k1.4M32](/packages/wixel-gump)[iamfarhad/validation

🇮🇷 Complete Laravel Persian validation package - Iranian national ID, mobile numbers, Shamsi dates, IBAN/Sheba, postal codes &amp; more. Modern Laravel 10-13 support with both ValidationRule objects &amp; string-based rules.

3017.3k](/packages/iamfarhad-validation)[tommyknocker/pdo-database-class

Framework-agnostic PHP database library with unified API for MySQL, MariaDB, PostgreSQL, SQLite, MSSQL, and Oracle. Query Builder, caching, sharding, window functions, CTEs, JSON, migrations, ActiveRecord, CLI tools, AI-powered analysis. Zero external dependencies.

846.1k](/packages/tommyknocker-pdo-database-class)[phpexperts/datatype-validator

An easy to use data type validator (both strict and fuzzy).

141.2M2](/packages/phpexperts-datatype-validator)[progsmile/request-validator

Simple PHP Request Validator

37114.5k1](/packages/progsmile-request-validator)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
