CoachnestCoachnest
Sign InGet Started
Back to course

Mastering CRUD: Build Full-Stack Database Applications

…
—
Contents
1

What Is CRUD and Why It Matters

Reading12mFree
2

CRUD, REST, and HTTP Verbs

Reading14mFree
3

The Data Lifecycle of a Record

Reading11m
4

Course Project Tour: TaskFlow

Video9m
5

Chapter 1 — Quiz

Quiz8m
6

Tables, Rows, Columns & Types

Reading14m
7

Primary Keys & IDs (Auto-increment vs UUID)

Reading13m
8

Relationships: One-to-Many & Many-to-Many

Reading16m
9

Normalization & Schema Design Principles

Reading14m
10

Modeling TaskFlow with Prisma

Reading13m
11

Chapter 2 — Quiz

Quiz8m
12

INSERT — Creating Rows

Reading13m
13

SELECT — Reading & Filtering

Reading16m
14

UPDATE — Changing Rows Safely

Reading12m
15

DELETE — Removing Rows

Reading11m
16

Live SQL: A Full CRUD Session

Video15m
17

Chapter 3 — Quiz

Quiz9m
18

REST API Design for CRUD Resources

Reading14m
19

HTTP Status Codes That Tell the Truth

Reading12m
20

Scaffolding the API (Express & Next.js)

Reading16m
21

Connecting an ORM (Prisma) to Your Routes

Reading13m
22

Chapter 4 — Quiz

Quiz8m
23

Building the Create Endpoint End-to-End

Reading15m
24

Reading a Single Resource

Reading11m
25

Listing Collections

Reading13m
26

Live Coding: Create & Read

Video16m
27

Chapter 5 — Quiz

Quiz8m
28

PUT vs PATCH: Full vs Partial Updates

Reading13m
29

Authorization: Who Can Change This Row?

Reading12m
30

Soft Delete, Hard Delete & Restore

Reading14m
31

Idempotency & Concurrency Control

Reading13m
32

Chapter 6 — Quiz

Quiz9m
33

Input Validation with Zod

Reading14m

Mass Assignment & Over-Posting

Reading11m
35

SQL Injection & Safe Queries

Reading13m
36

Consistent Error Handling

Reading12m
37

Chapter 7 — Quiz

Quiz9m
38

Offset vs Cursor Pagination

Reading15m
39

Filtering & Dynamic WHERE Clauses

Reading13m
40

Safe Sorting & Full-Text Search

Reading14m
41

Indexing for Fast Reads

Reading13m
42

Chapter 8 — Quiz

Quiz9m
43

Forms & Creating Records from the UI

Reading14m
44

Fetching & Displaying Data

Reading13m
45

Optimistic Updates & Deletes

Reading14m
46

Building the TaskFlow UI

Video17m
47

Chapter 9 — Quiz

Quiz8m
48

Transactions & Data Integrity

Reading15m
49

Testing Your CRUD Endpoints

Reading14m
50

Caching, N+1 & Performance

Reading13m
51

Deploying & Migrating Safely

Reading14m
52

Chapter 10 — Final Quiz

Quiz10m
←→navigate lessons
Chapter 7 of 10·Chapter 7 — Validation, Errors & Security
Lesson 34 of 52Reading11 min

Mass Assignment & Over-Posting

Mass Assignment & Over-Posting¶

A subtle, dangerous bug: blindly spreading the request body into your database write.

The Vulnerable Code¶

ts
2 lines
1const body = await req.json();
2await prisma.user.update({ where: { id }, data: body }); // 😱

A user submits:

json
1 line
1{ "name": "Mallory", "role": "ADMIN", "isVerified": true }

They just promoted themselves to admin. This is mass assignment (a.k.a. over-posting): the client sets fields they were never supposed to touch.

Fix 1: Whitelist Fields with a Schema¶

ts
7 lines
1const UpdateProfile = z.object({
2  name: z.string().max(100).optional(),
3  bio:  z.string().max(500).optional(),
4}); // role, isVerified, id simply aren't here
5
6const data = UpdateProfile.parse(body);
7await prisma.user.update({ where: { id }, data });

Unknown fields are dropped. role can never be set through this endpoint.

Fix 2: Pick Explicitly¶

ts
2 lines
1const { name, bio } = body;
2await prisma.user.update({ where: { id }, data: { name, bio } });

Server-Controlled Fields Stay Server-Side¶

Some fields must never come from the client:

FieldWho sets it
idThe database
ownerId / userIdThe session
role, isVerifiedAdmin flows only
createdAt, updatedAtThe database
price (in a checkout)The server, from the catalog

The rule from Chapter 5 generalizes: derive identity and privilege fields on the server, never from the request body.

Previous

Input Validation with Zod

Next

SQL Injection & Safe Queries

Use ← → arrow keys to navigate between lessons