The frontend has its own validation. Required fields, email format checks, character limits. But here is the thing — frontend validation can be bypassed. Anyone with browser DevTools can disable JavaScript, remove the maxlength attribute, or call the API directly with Postman. The database is the last line of defense.
Real story. A banking app had beautiful frontend validation on the transfer form. Amount must be positive. Cannot exceed balance. All looked perfect. But someone called the API directly with amount = -5000. No backend validation. No DB constraint. The sender RECEIVED money instead of sending it. Balance went up. That is a Rs 5,000 bug — per request.
-- Test 1: Does the DB reject NULL in required fields?
INSERT INTO users (full_name, email, phone)
VALUES (NULL, 'test@email.com', '9876543210');
-- Expected: ERROR — full_name cannot be NULL
-- Test 2: Does the DB reject negative amounts?
INSERT INTO transactions (from_account, to_account, amount)
VALUES ('ACC001', 'ACC002', -5000.00);
-- Expected: ERROR — CHECK constraint violation
-- Test 3: Does the DB reject duplicate emails?
INSERT INTO users (full_name, email, phone)
VALUES ('Test User', 'existing@email.com', '9876543211');
-- Expected: ERROR — UNIQUE constraint violation
-- If any of these SUCCEED, you found a critical bug.
-- The database is not protecting itself.List all frontend validations for a feature (check the form, read the JS/React code if possible).
For each frontend rule, check if the same rule exists in the database (constraint, trigger, or stored procedure).
Try bypassing frontend validation — use Postman, curl, or browser DevTools to send invalid data directly to the API.
Check the database. Did the invalid data get stored? If yes, file a critical bug.
Document which validations exist only on the frontend (risky) vs which are enforced at the DB level (safe).
Never rely on frontend validation alone. It is a convenience for the user, not a security measure. If the database does not enforce the rule, the rule does not really exist.
Q: Why is frontend validation not sufficient? Why do we need database-level validation?
A: Frontend validation can be bypassed using browser DevTools, API tools like Postman, or direct database access. It runs on the client side, which the user controls. Database validation (constraints, triggers, CHECK rules) runs on the server side and cannot be bypassed. For critical rules like preventing negative balances, ensuring unique emails, and enforcing referential integrity, the database must be the final enforcer. I always verify that every important frontend rule has a corresponding database constraint.
Key Point: Frontend validation is for user convenience. Database validation is for data safety. Always verify both exist.