javascript
45 lines · 9 steps
Validating query params with Zod in Express
An Express route uses a Zod schema to coerce, validate, and default query parameters before building a safe database query.
Explained by
highlit
1const express = require('express');
2const { z } = require('zod');
3const router = express.Router();
4
5const filterSchema = z.object({
6 status: z.enum(['active', 'archived', 'pending']).optional(),
7 minPrice: z.coerce.number().nonnegative().optional(),
8 maxPrice: z.coerce.number().positive().optional(),
9 tags: z
10 .string()
11 .transform((s) => s.split(',').map((t) => t.trim()).filter(Boolean))
12 .pipe(z.array(z.string()).max(10))
13 .optional(),
14 sort: z.enum(['created_at', 'price', 'name']).default('created_at'),
15 order: z.enum(['asc', 'desc']).default('desc'),
16 page: z.coerce.number().int().min(1).default(1),
17 limit: z.coerce.number().int().min(1).max(100).default(20),
18});
19
20router.get('/products', async (req, res, next) => {
21 const parsed = filterSchema.safeParse(req.query);
22 if (!parsed.success) {
23 return res.status(400).json({ error: 'Invalid filters', details: parsed.error.flatten().fieldErrors });
24 }
25
26 const { status, minPrice, maxPrice, tags, sort, order, page, limit } = parsed.data;
27
28 let query = req.db('products');
29 if (status) query = query.where('status', status);
30 if (minPrice != null) query = query.where('price', '>=', minPrice);
31 if (maxPrice != null) query = query.where('price', '<=', maxPrice);
32 if (tags?.length) query = query.whereRaw('tags && ?', [tags]);
33
34 try {
35 const rows = await query
36 .orderBy(sort, order)
37 .limit(limit)
38 .offset((page - 1) * limit);
39 res.json({ page, limit, data: rows });
40 } catch (err) {
41 next(err);
42 }
43});
44
45module.exports = router;
01 / 01
STEP 01
‹ swipe to step through ›
Walkthrough
Space play
←→ step
click any line
Three takeaways
- 1Coercing and defaulting query strings at the schema boundary keeps route logic clean and predictable.
- 2safeParse lets you reject bad input with structured errors instead of throwing mid-handler.
- 3Building queries conditionally from validated data avoids injecting untrusted values into the database.
Related explainers
javascript
import { parsePhoneNumberFromString } from 'libphonenumber-js'; export class PhoneValidationError extends Error { constructor(message, code) {
Normalizing phone numbers with typed errors
validation
error-handling
custom-errors
Intermediate
6 steps
python
import os from datetime import datetime, timezone import jwt
JWT bearer auth as a FastAPI dependency
authentication
jwt
dependency-injection
Intermediate
7 steps
php
public function importCustomers(UploadedFile $file): array { $errors = []; $imported = 0;
Validating a CSV import in Laravel
csv-parsing
validation
error-accumulation
Intermediate
8 steps
javascript
const RESERVED_SLUGS = new Set(['new', 'edit', 'admin', 'api']); function slugify(title) { return title
Generating URL-safe unique slugs
string-normalization
regex
deduplication
Intermediate
9 steps
javascript
class EventEmitter { constructor() { this.listeners = new Map(); }
Building an EventEmitter in JavaScript
pub-sub
closures
map
Intermediate
7 steps
javascript
const express = require('express'); const compression = require('compression'); const zlib = require('zlib');
Tuning Express response compression
compression
middleware
http
Intermediate
9 steps
Share this explainer
Here's the card — post it anywhere.
Made with highlit — turn any snippet into a walkthrough like this in about a minute.
Explain your code
Embed this explainer
Drop the interactive walkthrough into a blog or docs. Views never cost a credit.
<iframe src="https://highlit.co/explainers/validating-query-params-with-zod-in-express-explained-javascript-708d/embed?autoplay=1" width="100%" height="520" loading="lazy" style="border:0"></iframe>
Autoplay is on by default — add ?autoplay=0 to start paused.