Validate your data · Enter the Database

You just saw it — your database accepted a one-letter title without complaint. It caught missing values and duplicates, but anything beyond that slipped right through.

You need to check input before it reaches the database. That's validation.

Two layers of defense

Your database schema already enforces basic rules — notNull() prevents empty values, unique() prevents duplicates. But those are blunt instruments. They can tell you a column isn't empty, not that a title is too short or that an email address is real.

Validation is the second layer. It runs before the data even reaches the database, checking whether the values make sense for your app. Think of it like a bouncer at the door — the database is the building's fire code (structural limits), but the bouncer checks the guest list (business rules).

Add validation schemas

The tools for this are already in your project: Zod is a validation library that lets you describe what valid data looks like, and drizzle-zod bridges it with your Drizzle tables so you don't have to describe each field by hand.

Ask your AI:

Add validation schemas to the schema file using `createInsertSchema` from `drizzle-zod`. Create an insert schema for forms that requires title to be at least 3 characters. Create an insert schema for submissions too.

Your validation schemas should look something like this:

app/.server/db/schema.ts

import { createInsertSchema } from 'drizzle-zod'

export const formInsertSchema = createInsertSchema(forms, {
  title: (z) => z.min(3, 'Title must be at least 3 characters'),
})

export const submissionInsertSchema = createInsertSchema(submissions)

createInsertSchema turns your Drizzle table into a validation schema so you don't have to redefine every field. You just add stricter checks where you need them — like a minimum length for title.

What validation gives you

When validation fails, Zod returns structured errors that tell you exactly what went wrong:

{
  "title": ["Title must be at least 3 characters"]
}

Each field gets its own list of error messages. Your form can show them right next to the relevant input — "Title must be at least 3 characters" appears under the title field, not as a generic alert at the top of the page.

Without validation, bad data silently gets in. With it, the user sees exactly what to fix before anything touches the database.

?What is validation?