Table of Contents

PHP RFC: json_validate

Introduction

This RFC introduces a new function called json_validate() to validate if an string contains a valid json.

Most userland implementations use json_decode() which by design generates a ZVAL(object/array/etc.) while parsing the string, ergo using memory and processing that could be save.

The proposed function will use the exact same JSON parser that already exists in the PHP core, which is also use by json_decode(), this garantees that what is valid in json_validate() is also valid in json_decode().

Proposal

Description

json_validate(string $json, int $depth = 512, int $flags = 0): bool

Parameters

json

The json string being analyzed.

This function only works with UTF-8 encoded strings.

Note:

PHP implements a superset of JSON as specified in the original » RFC 7159.

depth

Maximum nesting depth of the structure being decoded.

flags

Bitmask of JSON_INVALID_UTF8_IGNORE. The behavior of this constant is described on the JSON constants page.

Return values

Returns true if the string passed contains a valid json, otherwise returns false.

Examples

1. Validate a valid json-string

var_dump(json_validate('{ "test": { "foo": "bar" } }'));

Result will be

bool(true)

2. Validate an invalid json-string

var_dump(json_validate('{ "": "": "" } }'));

Result will be

bool(false)

Errors during validation can be fetch by using json_last_error() and/or json_last_error_msg().

General notes from discussion of the RFC

Use cases contributed by the community

Eventhough not reduce to only these examples, during discussion in mailing list, some users expressed:

“Yes well-formed JSON from a trusted source tends to be small-ish. But a validation function also needs to deal with non-well-formed JSON, otherwise you would not need to validate it.”

“If with a new function (json_validate()) it becomes much easier to defend against a Denial-of-Service attack for some parts of a JSON API, then this can be a good addition just for security reasons.”

“fast / efficient validation of a common communication format reduces the attack surface for Denial-of-Service attacks.”

Reasons to have json_validate() function in the core

Based on discussion of the RFC in the mailing list

Disadvantages of using json_decode to only validate a json-string

By design, json_decode() generates a ZVAL (object/array/etc.) while parsing the string, ergo using memory and processing for it, that is not needed if the only thing to discover is if a string contains a valid json or not.

Disadvantages of using regex

Using a regex for this task forces different, error-prone, hard to maintain, implementations.

Disadvantages of userland solutions

PHP already has a JSON parser

As previously mentioned, PHP already has a JSON parser used by json_decode(). The proposed function will use that parser, guaranteeing 100% compatibility between json_decode() and json_validate()

Needs from major projects and developers

In the “References” section, there is a list of major open-source php projects that could benefit with this new function.

Also in the mentioned section a link to one of the most popular StackOverflow questions is provided, which somehow reflects the need from our developers to have a feature like this included.

Please check the “References” section.

Complexity added in the core

At the moment, there is a JSON parser in the core, used by json_decode() to do its job, so there is no need to write a new JSON parser for this RFC; the proposed function will use the existing JSON parser exclusively to parse an string without generating any object/array/etc. in memory for it.

Reasons NOT to have json_validate() function in the core

One member of the mailing list expressed that:

Quote:

“If we keep the tendency to pollute already bloated standard library with an army of small functions that could have not exists and be replaced with normal PHP counterparts IMHO we'll end with frustration from developers as I believe DX slowly falls down here.”

Quote:

“A `json_decode()` is a substitute that IMO solves 99% of use cases. If I'd follow your logic and accept every small addition that handles 1% of use cases, somebody will raise another RFC for simplexml_validate_string or yaml_validate and the next PhpToken::validate. All above can be valid if we trust that people normally validate 300MB payloads to do nothing if they DON'T fail and there is nothing strange about that.”

Changes in the RFC that happened during discussion

Throw Exception on error

In my initial implementation, the developer had the option to provide a flag to indicate that in case of error during validation an exception should be throw.

The ability to throw an exception on error was removed from the implementation, as this was pointed not only by most of user in the mailing list (with good reasons), but also during code review; as it does not make sense to have such a behavior.

I also have to admit that after they showed their arguments, I changed my mind, and now I also think it makes sense to have such a behavior in the function.

So removing the ability to throw exception on error was removed from implementation.

Others

Backward Incompatible Changes

None, as this is a new function only.

json_validate will no longer be available as a function name.

Proposed PHP Version(s)

next PHP 8.x

RFC Impact

This RFC has no impact on SAPIs, existing extensions, Opcache, etc.

Future Scope

- (To be defined by future discussions if needed)

Proposed Voting Choices

- (To be defined)

Implementation

- Github: https://github.com/php/php-src/pull/9399

References

Major Open-Source projects that will benefit out of this

Symfony Framework

class JsonValidator extends ConstraintValidator

Laravel Framework

    public function validateJson($attribute, $value)
    {
        if (is_array($value)) {
            return false;
        }
 
        if (! is_scalar($value) && ! is_null($value) && ! method_exists($value, '__toString')) {
            return false;
        }
 
        json_decode($value);
 
        return json_last_error() === JSON_ERROR_NONE;
    }

Laravel Framework

    public static function isJson($value)
    {

Magento

    protected function isValidJsonValue($value)
    {
        if (in_array($value, ['null', 'false', '0', '""', '[]'])
            || (json_decode($value) !== null && json_last_error() === JSON_ERROR_NONE)
        ) {
            return true;
        }
        //JSON last error reset
        json_encode([]);
        return false;
    }

Magento

    public function isValid($string)
    {
        if ($string !== false && $string !== null && $string !== '') {
            json_decode($string);
            if (json_last_error() === JSON_ERROR_NONE) {
                return true;
            }
        }
        return false;
    }

getgrav

    public static function validateJson($value, $params)
    {
        return (bool) (@json_decode($value));
    }

Respect / Validation

final class Json extends AbstractRule
{
    /**
     * {@inheritDoc}
     */
    public function validate($input): bool
    {
        if (!is_string($input) || $input === '') {
            return false;
        }
 
        json_decode($input);
 
        return json_last_error() === JSON_ERROR_NONE;
    }
}

Respect / Validation

final class Json extends AbstractRule
{
    /**
     * {@inheritDoc}
     */
    public function validate($input): bool
    {
        if (!is_string($input) || $input === '') {
            return false;
        }
 
        json_decode($input);
 
        return json_last_error() === JSON_ERROR_NONE;
    }
}

Prestashop

    public static function isJson($string)
    {
        json_decode($string);
 
        return json_last_error() == JSON_ERROR_NONE;
    }

Wordpress CLI

function is_json( $argument, $ignore_scalars = true ) {
    if ( ! is_string( $argument ) || '' === $argument ) {
        return false;
    }
 
    if ( $ignore_scalars && ! in_array( $argument[0], [ '{', '[' ], true ) ) {
        return false;
    }
 
    json_decode( $argument, $assoc = true );
 
    return json_last_error() === JSON_ERROR_NONE;
}

JOOMLA CMS

if (\is_string($value)) {
    json_decode($value); //<------ HERE
 
    // Check if value is a valid JSON string.
    if ($value !== '' && json_last_error() !== JSON_ERROR_NONE) {
        /**
         * If the value is not empty and is not a valid JSON string,
         * it is most likely a custom field created in Joomla 3 and
         * the value is a string that contains the file name.
        */
        if (is_file(JPATH_ROOT . '/' . $value)) {
            $value = '{"imagefile":"' . $value . '","alt_text":""}';
        } else {
            $value = '';
        }
    }

In PHP, this question is one of the most high ranked questions related to json && php in stackoverflow, “Fastest way to check if a string is JSON in PHP?”. The question

Viewed 484k times. The ranking

Person asking how to do exactly this, also providing a real use case; eventhough in python, the programming language is not important. In Python

Someone has also doing exactly this , in JAVA. In Java

Vote

Voting started 2022-09-22 and will end on 2022-10-07 at 00:00:00 UTC time zone.

json_validate
Real name Yes No
ashnazg (ashnazg)  
beberlei (beberlei)  
bmajdak (bmajdak)  
bukka (bukka)  
crell (crell)  
cschneid (cschneid)  
dharman (dharman)  
fibbarth (fibbarth)  
girgias (girgias)  
mfonda (mfonda)  
ocramius (ocramius)  
reywob (reywob)  
santiagolizardo (santiagolizardo)  
seld (seld)  
sergey (sergey)  
svpernova09 (svpernova09)  
tandre (tandre)  
timwolla (timwolla)  
villfa (villfa)  
Final result: 18 1
This poll has been closed.