TL;DR
Input validation checks that user data matches expected formats before processing. Is the email valid? Is the number within range? Is the required field present? Validation rejects bad input early, preventing bugs and security issues. Always validate on the server. Use libraries like Zod or Yup to define and enforce schemas.
The Simple Explanation
Users submit data through forms, URLs, and APIs. Some data is mistakes (typos), some is malicious (attacks). Validation is your first check: "Does this look like what I expect?" If not, reject it immediately. Don't try to process or fix bad data.
What to Validate
- Type: Is it a string, number, boolean, array?
- Format: Valid email? Valid URL? UUID format?
- Length: Min and max character limits
- Range: Number between 1 and 100?
- Allowed values: One of pending, approved, rejected?
- Required: Is this field present?
Validation with Zod
import { z } from 'zod';
const userSchema = z.object({ email: z.string().email(), name: z.string().min(1).max(100), age: z.number().min(0).max(150).optional(), role: z.enum('user', 'admin') });
// In your API handler const result = userSchema.safeParse(req.body); if (!result.success) { return res.status(400).json({ errors: result.error.issues }); } // result.data is now typed and validated
Client vs Server Validation
| Aspect | Client-Side | Server-Side |
|---|---|---|
| Purpose | User experience | Security |
| Can be bypassed | Yes, easily | No (if done right) |
| When to use | For immediate feedback | Always, mandatory |
Never trust client-side validation alone. Attackers can disable JavaScript, modify requests, or call your API directly. Server-side validation is your security boundary.
Validation Libraries
- Zod: TypeScript-first, excellent DX
- Yup: Popular, works well with Formik
- Joi: Mature, extensive features
- Valibot: Lightweight alternative to Zod
Should I validate on the client or server?
Always validate on the server. Client-side validation can be bypassed by attackers using browser dev tools or direct API calls. Client-side validation is for user experience (immediate feedback), not security. Server-side validation is mandatory for security.
What should I validate?
Validate type (string, number, boolean), format (email, URL, phone), length (min/max characters), range (number bounds), allowed values (enums, allowlists), and required vs optional. Validate everything that comes from outside your trusted code, including URL parameters, form data, headers, and file uploads.
Is validation enough to prevent injection attacks?
Validation helps but is not enough alone. Use validation to reject unexpected input, but also use parameterized queries for SQL, output encoding for HTML, and proper escaping for other contexts. Defense in depth means multiple layers of protection.