Why should I validate params and query, not just body?
Invalid params (e.g., a non-24-char ObjectId) crash Mongoose. Invalid query (e.g., a non-numeric skip) breaks pagination. Validate all three with separate factories: validate, validateParams, validateQuery.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Common Validation Mistakes in Express (and How to Fix Them)
No validation at all, only validating the body (forgetting params and query), not replacing req.body with parsed data, no type coercion, validating in controllers (duplication), validating too late, generic error messages, not handling Mongoose ValidationErrors, no runValidators on updates, and trusting client-side validation.
Because Zod coerces types (string to number, defaults, transforms). If you keep the original req.body, downstream code uses uncoerced strings. Replace req.body = result.data so the handler sees the parsed, coerced data.
It duplicates logic across controllers. Validation in a middleware is applied per route and reusable. Controllers should focus on business logic, not validation.
Still have questions?
Browse all our FAQs or reach out to our support team
