json_validate() — Native JSON Validation (PHP 8.3)
Also Known As
json_validate
PHP 8.3 JSON
JSON validation PHP
TL;DR
PHP 8.3 added json_validate() — a dedicated function that checks whether a string is valid JSON without decoding it, making validation faster and cheaper than json_decode() + error checking.
Explanation
Before PHP 8.3, the only way to validate JSON was to call json_decode() and check json_last_error() — which allocated memory to build the decoded value even though you only wanted to know if the string was valid. json_validate() parses the JSON structure without building a PHP data structure, making it significantly faster and less memory-intensive for large payloads. It returns true/false. It accepts the same optional depth and flags arguments as json_decode(). This is ideal for webhook handlers, API input validation, and message queue consumers that need to validate incoming JSON before forwarding to a decoder.
Common Misconception
✗ json_validate() replaces json_decode(). It doesn't — it only tells you whether the string is valid JSON. You still need json_decode() to actually use the data. json_validate() is for the guard clause before decoding.
Why It Matters
For high-throughput APIs or queue workers that receive many JSON payloads, using json_decode() purely for validation wastes significant memory and CPU. json_validate() is a zero-allocation check — it scans the JSON structure and returns immediately. On a service processing thousands of messages per second, this can meaningfully reduce memory pressure.
Common Mistakes
- Calling json_validate() and then immediately calling json_decode() on failure — json_validate() returns false on invalid JSON, so the decode should only happen in the true branch.
- Using json_validate() as a substitute for schema validation — it only checks JSON syntax, not whether the structure matches your expected schema.
- Not specifying a depth limit for untrusted input — deeply nested JSON can cause stack overflows; json_validate($input, depth: 10) is safer for external data.
- Forgetting JSON_THROW_ON_ERROR on json_decode() after validation — json_decode() can still return null for valid JSON ('null' is valid JSON), so throw-on-error prevents silent failures.
Code Examples
✗ Vulnerable
<?php
// ❌ Using json_decode() purely for validation — wasteful
function handleWebhook(string $body): void
{
$data = json_decode($body, true); // Allocates full PHP array
if (json_last_error() !== JSON_ERROR_NONE) {
throw new InvalidArgumentException('Invalid JSON');
}
// Now decode again (or use $data — but you allocated it twice if validating first)
processPayload($data);
}
✓ Fixed
<?php
// ✅ PHP 8.3 — validate cheaply, decode only once
function handleWebhook(string $body): void
{
if (!json_validate($body)) {
throw new InvalidArgumentException('Invalid JSON payload');
}
// Decode only after confirming validity
$data = json_decode($body, true, 512, JSON_THROW_ON_ERROR);
processPayload($data);
}
// With depth limit for untrusted input
if (!json_validate($untrustedInput, depth: 5)) {
return false;
}Tags
🤝 Adopt this term
£79/year · your link shown here
Added
23 Mar 2026
Views
21
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 1
Amazonbot 1
No pings yesterday
Amazonbot 9
Perplexity 2
Google 2
ChatGPT 1
Ahrefs 1
Also referenced
How they use it
crawler 14
crawler_json 1
Related categories
⚡
DEV INTEL
Tools & Severity
⚙ Fix effort: Low
⚡ Quick Fix
Replace 'json_decode($s); if (json_last_error() !== JSON_ERROR_NONE)' validation patterns with 'if (!json_validate($s))' — then only call json_decode() when you actually need the data.
📦 Applies To
PHP 8.3+
web
cli
queue-worker