This package is abandoned and no longer maintained. The author suggests using the laminas-api-tools/api-tools-content-validation package instead.

Zend Framework module providing incoming content validation


Repository abandoned 2019-12-31

This repository has moved to laminas-api-tools/api-tools-content-validation.

Build Status Coverage Status


Zend Framework module for automating validation of incoming input.

Allows the following:

  • Defining named input filters.
  • Mapping named input filters to named controller services.
  • Returning an ApiProblemResponse with validation error messages on invalid input.


Please see the composer.json file.


Run the following composer command:

$ composer require zfcampus/zf-content-validation

Alternately, manually add the following to your composer.json, in the require section:

"require": {
    "zfcampus/zf-content-validation": "^1.4"

And then run composer update to ensure the module is installed.

Finally, add the module name to your project's config/application.config.php under the modules key:

return [
    /* ... */
    'modules' => [
        /* ... */
    /* ... */


User Configuration

This module utilizes two user level configuration keys zf-content-validation and also input_filter_specs (named such that this functionality can be moved into ZF2 in the future).

Service Name key

The zf-content-validation key is a mapping between controller service names as the key, and the value being an array of mappings that determine which HTTP method to respond to and what input filter to map to for the given request. The keys for the mapping can either be an HTTP method that accepts a request body (i.e., POST, PUT, PATCH, or DELETE), or it can be the word input_filter. The value assigned for the input_filter key will be used in the case that no input filter is configured for the current HTTP request method.

Example where there is a default as well as a POST filter:

'zf-content-validation' => [
    'Application\Controller\HelloWorld' => [
        'input_filter' => 'Application\Controller\HelloWorld\Validator',
        'POST' => 'Application\Controller\HelloWorld\CreationValidator',

In the above example, the Application\Controller\HelloWorld\Validator service will be selected for PATCH, PUT, or DELETE requests, while the Application\Controller\HelloWorld\CreationValidatorwill be selected for POST requests.

Starting in version 1.1.0, two additional keys can be defined to affect application validation behavior:

  • use_raw_data: if NOT present, raw data is ALWAYS injected into the "BodyParams" container (defined by zf-content-negotiation). If this key is present and a boolean false, then the validated, filtered data from the input filter will be used instead.

  • allows_only_fields_in_filter: if present, and use_raw_data is boolean false, the value of this flag will define whether or not additional fields present in the payload will be merged with the filtered data.

  • remove_empty_data: Should we remove empty data from received data?

    • If no remove_empty_data flag is present, do nothing - use data as is
    • If remove_empty_data flag is present AND is boolean true, then remove empty data from current data array
    • Does not remove empty data if keys matched received data

Validating GET requests

  • Since 1.3.0.

Starting in 1.3.0, you may also specify GET as an HTTP method, mapping it to an input filter in order to validate your query parameters. Configuration is exactly as described in the above section.

This feature is only available when manually configuring your API; it is not exposed in the Admin UI.

Validating collection requests

  • Since 1.5.0

Starting in 1.5.0, you may specify any of:


as keys. These will then be used specifically with the given HTTP method, but only on requests matching the collection endpoint.

Validating DELETE requests

  • Since 1.6.0

Starting in 1.6.0, you may specify each of the following keys for input filters:


The input filter associated with the key will be used to validate data sent in the request body.


input_filter_spec is for configuration-driven creation of input filters. The keys for this array will be a unique name, but more often based off the service name it is mapped to under the zf-content-validation key. The values will be an input filter configuration array, as is described in the ZF2 manual section on input filters.


'input_filter_specs' => [
    'Application\Controller\HelloWorldGet' => [
        0 => [
            'name' => 'name',
            'required' => true,
            'filters' => [
                0 => [
                    'name' => 'Zend\Filter\StringTrim',
                    'options' => [],
            'validators' => [],
            'description' => 'Hello to name',
            'allow_empty' => false,
            'continue_if_empty' => false,

System Configuration

The following configuration is defined by the module in order to function within a ZF2 application.

namespace ZF\ContentValidation;

use Zend\InputFiler\InputFilterAbstractServiceFactory;
use Zend\ServiceManager\Factory\InvokableFactory;

return [
    'controller_plugins' => [
        'aliases' => [
            'getinputfilter' => InputFilter\InputFilterPlugin::class,
            'getInputfilter' => InputFilter\InputFilterPlugin::class,
            'getInputFilter' => InputFilter\InputFilterPlugin::class,
        'factories' => [
            InputFilter\InputFilterPlugin::class => InvokableFactory::class,
    'input_filters' => [
        'abstract_factories' => [
    'service_manager' => [
        'factories' => [
            ContentValidationListener::class => ContentValidationListenerFactory::class,
    'validators' => [
        'factories' => [
            'ZF\ContentValidation\Validator\DbRecordExists' => Validator\Db\RecordExistsFactory::class,
            'ZF\ContentValidation\Validator\DbNoRecordExists' => Validator\Db\NoRecordExistsFactory::class,

ZF Events



This listener is attached to the MvcEvent::EVENT_ROUTE event at priority -650. Its purpose is to utilize the zf-content-validation configuration in order to determine if the current request's selected controller service name has a configured input filter. If it does, it will traverse the mappings from the configuration file to create the appropriate input filter (from configuration or the Zend Framework 2 input filter plugin manager) in order to validate the incoming data. This particular listener utilizes the data from the zf-content-negotiation data container in order to get the deserialized content body parameters.



This event is emitted by ZF\ContentValidation\ContentValidationListener::onRoute() (described above) in between aggregating data to validate and determining the input filter, and the actual validation of data. Its purpose is to allow users:

  • the ability to manipulate input filters.
  • to modify the data set to validate (available since 1.4.0).

As an example, you might want to validate an identifier provided via the URI, and matched during routing. You may do this as follows:

$events->listen(ContentValidationListener::EVENT_BEFORE_VALIDATE, function ($e) {
    if ($e->getController() !== MyRestController::class) {

    $matches = $e->getRouteMatch();
    $data = $e->getParam('ZF\ContentValidation\ParameterData') ?: [];
    $data['id'] = $matches->getParam('id');
    $e->setParam('ZF\ContentValidation\ParameterData', $data);

ZF Services

Controller Plugins

ZF\ContentValidation\InputFilter\InputFilterPlugin (aka getInputFilter)

This plugin is available to Zend Framework 2 controllers. When invoked ($this->getInputFilter() or $this->plugin('getinputfilter')->__invoke()), it returns whatever is in the MVC event parameter ZF\ContentValidation\InputFilter, returning null for any value that is not an implementation of Zend\InputFilter\InputFilter.



This abstract factory is responsible for creating and returning an appropriate input filter given a name and the configuration from the top-level key input_filter_specs. It is registered with Zend\InputFilter\InputFilterPluginManager.