You can do whatever you want. No one can tell you that you are the creator of the software what you should do. Unless, of course, there is a technical reason to do so. This is the good news. Forget good practices, this expression should be abolished from software development, it just causes wrong understanding of things.
That said, understand that these standards recommendations are to better organize your code. That’s why you should make choices that produce a better organization, that make you comfortable to work in this way, allowing you to maintain in a simple way.
I have bad news: knowing exactly what to do in each situation depends on experience (quality, quantity is not enough). The most you can do when you don’t have to is ask who you have it for. But keep in mind that this only works for specific cases and that there is no guarantee that the person will understand the problem. And even if she does, it’s also not guaranteed that she’s committed to providing you with the best solution, even if superficially she wants to.
Answering your question here, in general, validations should be made in the same model. This is what the "law" ( :D ) of the MVC says.
But nothing stops you from putting validations that you think are pertinent in the controller, some of them might make sense. Some may have to do with the input of data itself and not with the persisted data more directly. That is, you are validating the flow. Then it can be in the vision too.
You can’t validate something in the model that depends on what you’re doing to enter the data.
Some will say it violates the MVC principle. It may be, but I don’t see a better way to do it.
Of course, you can do this more intelligently, you can inject this validation externally and not encode it internally to the controller. You can organize the code to meet the objectives of MVC instead of following ready-made formula. You can share validation code between the model and the controller. The validation should probably be a separate entity.
But it can do when the validation needs to occur also in the model. Some of the examples you mentioned would need to be validated in the model (if you only validate in the controller, someone might go over it and the model accept data written in a disorganized way)then you can create a more modular code that can be used to validate the model and to anticipate on the controller. Of course, this need depends on something that goes a little beyond the MVC. Anyway if you want to validate something on the page, you have to do it in JS, right? The model is in PHP? The controller too? Do you realize that you will have to make two validations that validate the same thing? There is no magic.
Note that the MVC standard says what the workflow should look like. It doesn’t say exactly where the code should be. The code does not need to be in one of these parts itself. Where should the validation be? Anywhere. What you want to know is where it should be invoked. And it has reasons to invoke both in the model and in the controller, depends on the case, not to mention that it will often be in the view, probably in an additional way.
As long as you don’t fully understand what MVC is, why it exists, what it brings you good, you can never use the pattern consciously and you can’t make important decisions on a case-by-case basis, as it should be.
We have some information here at several questions on the subject. Many are very specific and may not be of much use to you, others can help give you experience using others' experience. Some may have bad answers. In other times I would say that bad ones would be badly voted, but today I can not give this guarantee.
To Wikipedia is another obvious place to start studying the subject.
A interesting article aimed at PHP.
One wiki of computer standards worthwhile.
Question on the Programmers on the subject that gives various views and ways to get more information.
Article by Martin Fowler with a broader view on the subject.
Reasonably detailed example.
This is just a start to start understanding the pattern, don’t stop there. Read this e-book.
If you’re gonna take it literally, controller should not validate, only control the flow, and the model would be responsible for the business rules - type validation. Some validations I keep on controller for convenience and ease.
– Papa Charlie
Take a look at [tour]. You can accept an answer if it solved your problem. You can vote on every post on the site as well. Did any help you more? You need something to be improved?
– Maniero