Input Validation
ELI5 — The Vibe Check
Input validation is checking that user input is what you expect before using it. If a field should be an email address, reject anything that isn't an email. If a field should be a number between 1 and 100, reject everything else. Never trust user input — validate it at every entry point.
Real Talk
Input validation verifies that data conforms to expected format, type, length, and range constraints before processing. It should occur on both client and server sides. Validation libraries like Zod, Joi, and Yup provide schema-based validation with detailed error messages.
Show Me The Code
import { z } from 'zod';
const UserSchema = z.object({
email: z.string().email().max(255),
age: z.number().int().min(18).max(120),
username: z.string().min(3).max(30).regex(/^[a-zA-Z0-9_]+$/),
});
const result = UserSchema.safeParse(req.body);
if (!result.success) {
return res.status(400).json({ errors: result.error.issues });
}
When You'll Hear This
"Add server-side input validation — client-side can be bypassed." / "The API rejected the request due to failed input validation."
Related Terms
Encoding
Encoding is converting data into a different format for safe transport or storage — not for security, but to prevent misinterpretation.
Escape
Escaping means converting special characters into their safe equivalents before putting them in HTML, SQL, or a shell command.
OWASP Top 10
The OWASP Top 10 is the security industry's greatest hits of web vulnerabilities — the 10 most common, dangerous ways apps get hacked.
Sanitization
Sanitization is cleaning up user input before using it — stripping out anything dangerous like script tags or SQL commands.
SQL Injection
SQL injection is when a hacker types SQL code into a text field instead of normal text, and your stupid database runs it.
XSS (XSS)
XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.