/Drupal 8

public function FormValidator::validateForm

public FormValidator::validateForm($form_id, &$form, FormStateInterface &$form_state)

Validates user-submitted form data in the $form_state.


$form_id: A unique string identifying the form for validation, submission, theming, and hook_form_alter functions.

$form: An associative array containing the structure of the form, which is passed by reference. Form validation handlers are able to alter the form structure (like #process and #after_build callbacks during form building) in case of a validation error. If a validation handler alters the form structure, it is responsible for validating the values of changed form elements in $form_state->getValues() to prevent form submit handlers from receiving unvalidated values.

$form_state: The current state of the form. The current user-submitted data is stored in $form_state->getValues(), though form validation functions are passed an explicit copy of the values for the sake of simplicity. Validation handlers can also use $form_state to pass information on to submit handlers. For example: $form_state->set('data_for_submission', $data); This technique is useful when validation requires file parsing, web service requests, or other expensive requests that should not be repeated in the submission step.

Overrides FormValidatorInterface::validateForm


core/lib/Drupal/Core/Form/FormValidator.php, line 90


Provides validation of form submissions.




public function validateForm($form_id, &$form, FormStateInterface &$form_state) {
  // If this form is flagged to always validate, ensure that previous runs of
  // validation are ignored.
  if ($form_state->isValidationEnforced()) {

  // If this form has completed validation, do not validate again.
  if ($form_state->isValidationComplete()) {

  // If the session token was set by self::prepareForm(), ensure that it
  // matches the current user's session. This is duplicate to code in
  // FormBuilder::doBuildForm() but left to protect any custom form handling
  // code.
  if (isset($form['#token'])) {
    if (!$this->csrfToken->validate($form_state->getValue('form_token'), $form['#token']) || $form_state->hasInvalidToken()) {

      // Stop here and don't run any further validation handlers, because they
      // could invoke non-safe operations which opens the door for CSRF
      // vulnerabilities.
      $this->finalizeValidation($form, $form_state, $form_id);

  // Recursively validate each form element.
  $this->doValidateForm($form, $form_state, $form_id);
  $this->finalizeValidation($form, $form_state, $form_id);
  $this->handleErrorsWithLimitedValidation($form, $form_state, $form_id);

© 2001–2016 by the original authors
Licensed under the GNU General Public License, version 2 and later.
Drupal is a registered trademark of Dries Buytaert.