Ayodele Aransiola

Back to Blog

Securing Your Backend: Never Bind Request Data Directly to Database Models

December 25, 2025 By Ayodele
security
backend
web development

Many bugs cause your application to crash or throw different errors, such as 500 or any related ones. You find and could fix them quickly because they break the user experience. But some of the most dangerous bugs are silent. They don't break your app; they just change how it behaves in ways you didn't intend without you knowing. all the tests pass, but something is not right.

One of these silent killers is over-posting.

In this article, you will learn how trusting user input too much can lead to unauthorized data changes. We will also look at how to use Data Transfer Objects (DTOs) and proper architectural mapping to keep your database secure.

How Over Posting Works

When a user sends a request to your server, like updating their profile, they usually send a JSON object. Many modern Object-Relational Mappers (ORMs) make it easy to save this data. You might be tempted to pass the entire request body directly into your database model to save time.

This is where the hidden bug lives. Because there is no filter, the ORM accepts every field in the request. If an attacker adds an extra field like "is_admin": true or "balance": 9999 to their request, the ORM will blindly bind that data to your database.

The app doesn't crash. It simply grants the user admin rights or inflates their credit.

How to Use DTOs for Input Filtering

Data Transfer Object (DTO) is a simple object that defines exactly what data is allowed to enter your system. Think of DTO as a security guard at the gate of your database, helping to standardize communication, reduce complexity, and control what data is exposed, making them ideal for APIs and microservices. The most effective way to stop this is to stop using req.body or params directly in your database queries. Instead, you should use a Data Transfer Object (DTO).

When you use a DTO, you create an "allow-list." Even if a user sends ten extra fields in their request, your DTO will only extract the three fields you actually need.

Here is an example of a vulnerable update vs. a secure update using a DTO:

// The Vulnerable Way
// An attacker can send { "name": "Sam", "role": "admin" }
app.patch("/user/profile", async (req, res) => {
  await User.update(req.body, { where: { id: req.userId } });
  res.send("Profile updated!");
});

// The Secure Way with a DTO
app.patch("/user/profile", async (req, res) => {
  // We only pull "name" and "bio". Everything else is ignored.
  const updateData = {
    name: req.body.name,
    bio: req.body.bio
  };

  await User.update(updateData, { where: { id: req.userId } });
  res.send("Profile updated!");
});

By manually mapping the fields, you ensure that sensitive columns like role, price, or balance remain untouched by the user.

How to Separate Your Models from Your Logic

For larger applications, manual mapping in every route becomes messy. To fix this, you should separate your Database Models from your Application Logic.

Your database model should represent the table structure in your database. Your logic layer should handle the "mapping." This means you take the incoming request data, validate it, and then map it to the model.

This separation of concerns makes your code easier to test. It also creates a layer where you can perform complex checks. For example, if a user tries to modify the price of an item, your logic layer can catch this and verify if the user is a "Store Manager" or just a "Customer."

How to Verify Roles and State Transitions

Filtering data is only half the battle. You also need to check the incoming request against the user's current state in the database.

A common mistake is trusting the "role" sent in a request. If a user sends a request to update-role, you must check two things:

  1. Does the current user have the permission to change roles?
  2. Is the new role they are requesting valid for their current status?
app.post("/update-role", async (req, res) => {
  const user = await User.findByPk(req.userId);
  const newRole = req.body.role;

  // Logic check: Check the database, not just the request
  if (user.role !== 'admin') {
    return res.status(403).send("Only admins can change roles.");
  }

  user.role = newRole;
  await user.save();
});

Always treat the incoming request as a "suggestion." Your backend must be the ultimate source of truth by comparing the incoming request against the existing record in your database.

Conclusion

"Hidden" bugs like over-posting are dangerous because they don't cause errors. They simply allow your app to be used in ways you never intended.

To keep your application secure, remember these three rules:

  • Never bind raw request objects directly to your ORM.
  • Use DTOs to create strict allow-lists for incoming data.
  • Verify permissions by checking the user's current state in the database before applying changes.

By following these patterns, you build a "defense in depth" strategy that protects your data from even the most creative attackers.