Menu

Pages

Tools

Security & Reliability March 2026 ⏱ 9 min read

How Bad Input Validation Causes Application Errors and Data Loss

Every developer knows input validation matters. Most still underinvest in it. Here is what the failures actually look like and what to do about each one.

Input validation is one of those topics that every developer knows matters and most developers underinvest in. The consequences range from minor inconveniences, such as a form that accepts a future date of birth, to severe failures like a database field that crashes when it receives a string instead of an integer, or an API that returns all user records when given a malformed query parameter. This post covers the most common input validation failures, why they happen, and what to do about them.

Why Input Validation Fails

Input validation failures are rarely about laziness. They are almost always about one of four predictable patterns in how developers think about their own code:

🌹
Optimistic assumptions
Developers writing validation logic often mentally model the ideal user: someone who reads instructions, enters valid data, and submits forms correctly. Real users mistype, copy-paste from unexpected sources, use different date formats, leave fields blank, and occasionally test system limits deliberately.
🔦
Incomplete edge case coverage
A developer validates that a number field contains a number. They do not validate that it is positive. Or within the database field's maximum. Or that it is not Infinity or NaN. Partial validation gives a false sense of security.
🖥️
Frontend-only validation
Validating at the frontend and assuming the backend can trust the data is a critical mistake. Any frontend validation can be bypassed with browser developer tools or a direct API call. Backend validation is not optional. It is the only validation that actually protects the system.
Missing null and undefined handling
A field that is required in the UI might be absent in a direct API call. Code that does not handle absent fields throws TypeError: Cannot read properties of undefined and crashes, often with an error message that leaks internal structure.

Frontend validation is for user experience. Backend validation is for security. Conflating the two is what makes systems exploitable.

The Most Damaging Validation Failures

Not all validation failures are equal. These are the ones that cause the most serious damage in production systems, at scale, in ways that are often difficult to detect until something goes badly wrong.

Failure Type What Happens Severity
SQL Injection User input containing SQL syntax is passed directly into database queries. An attacker can read, modify, or delete any data in the database. Critical
Type Coercion Bugs JavaScript's loose typing silently produces wrong results. "5" + 3 = "53" but "5" - 3 = 2. Arithmetic on unvalidated string inputs produces unpredictable outputs without throwing an error. High
Integer Overflow A numeric input without an upper bound allows values that exceed the data type's maximum. The database throws an error or silently wraps to a negative number. High
File Upload Bypass Accepting files based only on the reported MIME type or file extension is insufficient. File headers can be spoofed. Malicious content passes validation and is stored or executed. Critical
JSON Without Structure Validation Accepting JSON input and passing it directly to a parser without validating structure means a malformed payload throws an unhandled exception and may expose a full stack trace. Medium
Missing Null Check A required field absent from a direct API call causes Cannot read properties of undefined to propagate through the call stack, crashing the request handler. Medium

The Type Coercion Trap in Detail

Type coercion bugs deserve special attention because they are common, silent, and look correct until you hit the specific edge case that breaks them. JavaScript's loose typing is the most common culprit:

⚠ Unexpected results
// Input arrives as string from form "5" + 3 "53" // concatenation! "5" - 3 2 // numeric "5" * 2 10 // numeric "0" == false true // loose equality! null + 1 1 // null coerced to 0 undefined + 1 NaN // silent failure
✓ Explicit type validation
// Always parse and validate explicitly const age = Number(input.age); if (!Number.isInteger(age)) { throw new Error("Age must be integer"); } if (age < 0 || age > 150) { throw new Error("Age out of range"); } // Now safe to use

Always parse and validate types explicitly. Never assume that a field your frontend sends as a number will arrive at the backend as a number. HTTP transmits everything as text. Your server needs to enforce the contract, not assume it.

SQL Injection — Still Common in 2026

SQL injection has been documented since the late 1990s. It remains in OWASP's top 10 vulnerabilities. It is not a sophisticated attack. It is a direct consequence of passing unvalidated user input into a database query.

⚠ Vulnerable — string concatenation
// User input: "'; DROP TABLE users;--" const query = `SELECT * FROM users WHERE email = '${userInput}'`; // Executes: SELECT * FROM users // WHERE email = ''; // DROP TABLE users;--' // 💥 Table dropped
✓ Safe — parameterised query
// Same input — now harmless const query = `SELECT * FROM users WHERE email = $1`; const result = await db.query( query, [userInput] // treated as data ); // ✓ Input never interpreted as SQL
⚠ No amount of input sanitisation replaces parameterised queries

Attempting to sanitise SQL input by escaping special characters is an incomplete solution. Edge cases exist. Character encoding tricks exist. The correct solution is parameterised queries, which separate the query structure from the data entirely. The database driver handles escaping. You never have to think about it.

How to Validate JSON Input Correctly

One of the most common validation points in modern development is JSON, covering API request bodies, configuration uploads, and data imports. Before passing any JSON input to your business logic, it needs to pass all five validation checks:

  1. Syntax check: validate that it is parseable JSON. A malformed payload that reaches your parser throws an unhandled exception. Always wrap JSON parsing in a try/catch.
  2. Type check: validate that the top-level structure is the expected type. Is it an object when you expect an object? An array when you expect an array? A string payload passed to an object parser crashes silently.
  3. Required fields: validate that all required fields are present before accessing them. An absent field you reference without checking throws Cannot read properties of undefined.
  4. Field type validation: validate that each field's value matches its expected type. An age field that should be a number but is a string will cause downstream arithmetic bugs.
  5. Range and format validation: validate that values fall within acceptable bounds. A negative quantity, a past expiryDate, or an email without an @ all pass type checks but represent invalid data.
🔍 Validate real JSON before writing integration code

Before writing a single line of integration code against an external API, paste a real response sample into the JSON Formatter. This immediately reveals the actual structure, not the documentation version but the real response. You will find missing fields, unexpected types, and nullable values that the documentation does not mention. Catching these before writing code prevents integration bugs entirely.

The Input Validation Checklist

Before any form field, API parameter, file upload, or JSON payload reaches your business logic, it should pass all of these checks. Apply this list at every external input boundary in your application:

Presence check: is the value present if it is required? Handle absent fields explicitly before accessing them.
Type check: is the type correct? String, number, boolean, array, object. Parse and validate. Never assume.
Length check: is the string within acceptable bounds? An unbounded string field is a door to buffer overflows and database errors.
Range check: is the number within an acceptable range? Validate both minimum and maximum values, including against database field limits.
Format check: does the string match the expected format? Email, URL, date (ISO 8601), UUID. Use a validation library, not a handwritten regex.
Enum check: is the value from the allowed set? A status field that accepts any string allows values that break your business logic.
Sanitisation: has the value been sanitised before inclusion in a query, template, or file path? This is separate from validation. Both are required.
Backend enforcement: are all checks applied on the backend, not just the frontend? Frontend validation can be bypassed by anyone with browser developer tools.
⚡ Apply validation at every external boundary

Validation is not a one-time gate at the form submission step. Every point where data enters from outside your system, whether an API request, a file upload, a webhook payload, a message queue event, or a database read from an untrusted source, is an external boundary that requires validation. Trust no input you did not generate yourself.

Free browser-based tools

Validate your JSON before it becomes a bug

Format and validate JSON syntax instantly. Compare API responses across environments. No login, no setup.

{ } JSON Formatter Text Diff Checker Aa Case Converter

Validation Is Not Optional. It Is the Contract.

Input validation is not a feature you add after the application works. It is the contract between your system and the outside world. Every input that enters your system without validation is a bet that the user, the API, or the upstream service will always send exactly what you expect. That bet loses constantly.

The failures covered here, SQL injection, type coercion, integer overflow, file upload bypass, JSON without structure validation, are not exotic edge cases. They are the routine consequences of skipping the validation step. Each one is preventable with explicit checks that take minutes to write and hours to fix when omitted.

Validate every input. Validate on the backend. Validate structure, type, range, and format. The checklist above covers every boundary. Work through it once at every input point in your application and you will eliminate the majority of data integrity bugs before they can exist.