What is Input Validation?

Check Every Field Before Trusting It

Imagine filling out a form at the doctor's office. The receptionist checks your paperwork (validation), then security scans your bag for dangerous items (sanitization). Validation asks: "Is this data correct?" Sanitization asks: "Is this data safe?" Together, they protect your app from bad data AND malicious attacks.

5 min read Updated 2025-03-11 By Hasan

Concept

Why Check Before You Trust?

Think of input validation like a receptionist at a doctor's office. Before you can see the doctor, the receptionist checks your paperwork: Is the date in the right format? Did you fill in all required fields? Is that a real phone number? If something's wrong, they catch it now — not when the doctor is already treating you.

Without input validation: Users type whatever they want into your forms. An email field gets "not-an-email". A phone number field gets "call me later". A birth date gets "yesterday". Your app tries to use this garbage data and crashes, shows wrong information, or worse — lets hackers in through specially crafted input.

Without Input Validation

👤User

→

📝Formemail: "lol"

→

💾DatabaseSaves junk

→

💥ErrorApp crashes

Bad data flows through and breaks everything

With input validation: Every field gets checked before your app uses it. Email must contain @. Phone must be digits. Age must be a number. If something fails, the user gets a clear error message and can fix it. Your database only stores clean, correct data.

With Input Validation

👤User

→

Validator

✓CheckValid email?

→

💾DatabaseClean data

Bad data blocked at the door — only clean data gets through

The best part? Validation is just a series of simple checks. Is this field empty? Does this string contain @? Is this number positive? You can start with basic checks and add more as needed. Most frameworks have validation libraries that make it even easier — you just describe what you want, and the library does the checking.

But wait — validation isn't enough. A username like "John<script>alert(1)</script>" might pass your "not empty" check, but it contains code that could attack other users. That's where sanitization comes in. Think of it like airport security: checking your ID is validation (are you who you claim?), but the metal detector is sanitization (are you carrying anything dangerous?). Validation checks format. Sanitization removes danger. You need both.

TL;DR

Validation = checking data is correct (email has @). Sanitization = removing danger (no <script> tags). Use BOTH — validation catches mistakes, sanitization stops attacks.

Decision Framework

When to Use Input Validation

Input Validation isn't always the right call. Here's a quick mental model:

✓

You accept ANY data from users

Forms, search boxes, API endpoints, file uploads — if a user can type or send something, you need to validate it. Never trust input you didn't create.

✓

Data will be stored or displayed

Before saving to a database or showing on a page, validate. Bad data in your database causes bugs forever. Bad data on your page can even attack other users (XSS).

✓

You're building any login or signup flow

Email must be real. Password must meet requirements. Username can't have special characters. These validations protect your users and your system.

✓

You process payments or sensitive data

Credit card numbers have specific formats. Social security numbers have rules. Validating these fields catches typos before expensive payment failures.

✗

Data comes from your own code

If you're passing data between functions you wrote, you don't need to validate again. Validation is for untrusted input — external data you can't control.

✗

You're over-validating

Don't reject valid data with overly strict rules. Not all phone numbers are 10 digits. Not all names use only letters. Validate for safety, not arbitrary formatting.

Interactive Demo

Interactive Input Validation Demo

See how input validation protects your app. Try submitting valid and invalid data to watch the validator catch problems before they cause damage.

Scenario:

Email:

Username:

Age:

Password:

Submit the form to see validation in action

AI Prompts

AI Prompts for Input Validation

Now that you understand input validation, use these prompts with your AI coding agent. Copy the one that matches what you're building — the agent will handle the implementation.

Tip: These prompts work with any AI (ChatGPT, Claude, Cursor, Copilot). Just copy, paste, and let the AI write the validation code. You don't need to understand regex or validation libraries — the AI handles that.

📝 Add Form Validation

Add input validation to my form. I want to check user data before accepting it. Framework: [Express, Flask, Django, FastAPI, React, Vue, etc.] Validation library: [Zod, Yup, Pydantic, Joi, or suggest one] My form has these fields: - [email, password, username, age, phone, etc.] For each field: 1. What rules should it follow (required, format, length) 2. Clear error messages users will understand 3. Show validation both on the frontend (immediate feedback) AND backend (security) I'm learning, so explain why each validation rule matters and what could go wrong without it.

starter Start here - basic form validation pattern

🧹 Sanitize User Input

Add input sanitization to protect my app from malicious data. Framework: [Express, Flask, Django, FastAPI, etc.] I need to sanitize: - Text that will be displayed on pages (prevent XSS) - Data that will go into database queries (prevent SQL injection) - File names from user uploads - URLs from user input For each type: 1. What dangerous characters or patterns to remove/escape 2. The specific function or library to use 3. Where in my code to add the sanitization Explain the attacks each sanitization prevents — I want to understand why this matters, not just copy code.

starter Critical security - prevent injection attacks

🔌 Validate API Request Data

Create validation for my API endpoints. I want to reject bad requests before they hit my business logic. Framework: [Express, FastAPI, Django REST, etc.] Validation library: [Zod, Pydantic, Marshmallow, Joi, or suggest one] Validate these endpoints: [POST /users - create user with email, password, name] [PUT /users/:id - update user profile] [POST /orders - create order with items array, shipping address] For each endpoint: 1. Define a validation schema (types, required fields, formats) 2. Return clear error responses with field-level messages 3. Strip unknown fields to prevent mass assignment 4. Handle missing vs invalid vs malformed data differently Show me how to reuse validation schemas across endpoints. I'm learning, so explain each validation choice.

intermediate For API input validation

🔍 Explain My Validation Code

I have some validation code but I don't fully understand what it's doing. Please explain it to me. Here's my validation code: [paste your validation code here] Please explain: 1. What fields does this validate? 2. What rules does each field have? (explain in plain English) 3. Are there any security vulnerabilities or missing checks? 4. What error messages will users see? 5. Is validation happening on frontend, backend, or both? Suggest improvements if you see: - Missing sanitization - Rules that are too strict or too loose - Error messages that confuse users - Security gaps I'm learning, so explain like I'm new to validation.

documentation Understand existing validation code

Real World

Input Validation in Real Applications

Login forms everywhere try to log into any website with a blank password or an email like "asdf". You'll see red error messages immediately. That's input validation telling you what's wrong before you waste time hitting "submit" with bad data.

Credit card checkout enter a card number that's too short, or an expiration date in the past, and the payment form won't even try to charge you. Stripe and payment processors validate card formats before sending to banks — saving failed transaction fees.

Password requirements "Must be 8 characters, include a number and symbol" — that's validation ensuring passwords are strong enough. Without it, users would choose "123" and get hacked. The rules protect users from their own bad choices.

Twitter/X character limit try to post a tweet longer than 280 characters and the button grays out. That's real-time validation checking your input as you type and preventing data that doesn't fit the system's rules.

Comment sections stripping HTML try typing <script> or <img onerror="..."> in a YouTube comment. The site strips or escapes those tags before showing your comment to others. That's sanitization — removing dangerous code even from otherwise "valid" text.

Watch Out

Common Input Validation Mistakes to Avoid

Only validating on the frontend

JavaScript validation can be bypassed with browser dev tools. A hacker can send any data directly to your server. Always validate on the backend too — frontend validation is for user convenience, backend validation is for security.

Trusting data just because it came from your app

Even if your form only has a dropdown with valid options, a malicious user can send any value to your API. Validate server-side even when you "control" the input. The form is not the API.

Vague error messages

"Invalid input" doesn't help anyone. Tell users exactly what's wrong: "Email must contain @" or "Password must be at least 8 characters." Clear messages reduce support tickets and frustration.

Forgetting to sanitize after validating

A string can be "valid" but still dangerous. A valid username like "<script>alert(1)</script>" passes a "not empty" check but causes XSS. Validation checks format; sanitization removes danger.

Keep Learning

Related Building Blocks

COURSE

Ready to Build Real Products?

Learn to ship MicroSaaS apps with AI in the Solo Builder course.

Start Building →