Base44 security

Forms Accept Any Input Without Validation

Forms in your Base44 app accept and save any input without validation. Users can submit empty required fields, enter text in number fields, submit absurdly long strings, or inject HTML and scripts into text fields. This corrupts your data and can create security vulnerabilities.

Without validation, your database fills with garbage data: empty email fields, phone numbers with letters, negative quantities, and dates in the wrong format. Reports become unreliable, automated workflows break on bad data, and cleaning up the mess is time-consuming.

Worse, malicious users can inject scripts that execute when other users or admins view the submitted data, potentially stealing sessions or performing actions on their behalf.

Error Messages You Might See

Invalid data saved to database Form submitted with empty required fields Script executed when viewing submitted data Number field contains non-numeric value
Invalid data saved to databaseForm submitted with empty required fieldsScript executed when viewing submitted dataNumber field contains non-numeric value

Common Causes

  • No field constraints configured — Base44 form fields don't have required, min/max, or format rules set
  • Client-side validation only — HTML5 validation attributes exist but can be bypassed by submitting directly to the API
  • Text fields without length limits — Users can paste megabytes of text into a single field, bloating the database
  • Number fields accepting strings — Price, quantity, and age fields store whatever string is submitted
  • No sanitization of HTML content — Rich text or description fields accept raw HTML and JavaScript

How to Fix It

  1. Add required field rules — Mark all mandatory fields as required in both the form configuration and the data table schema
  2. Set field type constraints — Configure number fields to accept only numbers, email fields to validate email format, and date fields to accept only valid dates
  3. Add length limits — Set maximum character limits on text fields (e.g., 255 for names, 1000 for descriptions)
  4. Sanitize text input — Strip HTML tags from plain text fields and sanitize rich text fields to allow only safe HTML elements
  5. Add server-side validation rules — Configure validation at the data layer so it can't be bypassed by direct API calls

Real developers can help you.

rayush33 rayush33 JavaScript (React.js, React Native, Node.js) Developer with demonstrated industry experience of 4+ years, actively looking for opportunities to hone my skills as well as help small-scale business owners with solutions to technical problems Yovel Cohen Yovel Cohen I got a lot of experience in building Long-horizon AI Agents in production, Backend apps that scale to millions of users and frontend knowledge as well. legrab legrab I'll fill this later Meïr Ankri Meïr Ankri Full-stack developer specializing in React / Next.js / Node.js with 6+ years of experience. I've worked across various sectors including automotive (Reezocar/Société Générale), healthcare (Medical Link SaaS), and e-commerce (Glasman). I build web apps end-to-end, from architecture to production, with a focus on scalability, performance, and code quality. I also mentor junior developers and contribute to technical decisions and code reviews. Nam Tran Nam Tran 10 years as fullstack developer ISHANTDEEP SINGH ISHANTDEEP SINGH Senior Software Engineer with 7+ years of experience in React, JavaScript, TypeScript, Next.js, and Node.js. I’ve also worked as a tech lead for startups, owning end-to-end technical execution including architecture, development, scaling, and delivery. I bring a strong mix of hands-on coding, product thinking, and technical leadership, and I’m comfortable building products from scratch as well as improving and scaling existing systems. Dor Yaloz Dor Yaloz SW engineer with 6+ years of experience, I worked with React/Node/Python did projects with React+Capacitor.js for ios Supabase expert Prakash Prajapati Prakash Prajapati I’m a Senior Python Developer specializing in building secure, scalable, and highly available systems. I work primarily with Python, Django, FastAPI, Docker, PostgreSQL, and modern AI tooling such as PydanticAI, focusing on clean architecture, strong design principles, and reliable DevOps practices. I enjoy solving complex engineering problems and designing systems that are maintainable, resilient, and built to scale. PawelPloszaj PawelPloszaj I'm fronted developer with 10+ years of experience with big projects. I have small backend background too Matthew Jordan Matthew Jordan I've been working at a large software company named Kainos for 2 years, and mainly specialise in Platform Engineering. I regularly enjoy working on software products outside of work, and I'm a huge fan of game development using Unity. I personally enjoy Python & C# in my spare time, but I also specialise in multiple different platform-related technologies from my day job.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

Why is client-side validation not enough?

Anyone can bypass browser validation by editing the HTML, disabling JavaScript, or sending requests directly to the API. Server-side or data-layer validation is the only reliable way to ensure data integrity.

How do I clean up existing bad data?

Export your table data, clean it in a spreadsheet by removing empty rows and fixing formats, then re-import. Going forward, add validation rules to prevent bad data from being saved.

Related Base44 Issues

Database Tables Publicly Accessible Without Authentication

security

Admin Panel Accessible Without Login

security

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help