我的2美分：

数据验证应该出现在两个位置：

Data validation should occur in two locations:

1. 对数据执行操作的点，例如验证SQL查询的输入参数。

1. The point where data is acted upon, for example validating input parameters to an SQL query.

在提交数据的时候进行一般验证，例如在Web应用程序中，一些验证应该在客户端上进行。优点是，您可以快速通知用户输入问题，即不正确形成的电话号码，字符串太长等。然而，这不应该被依赖是一个权威的验证检查，如果在Web应用程序的情况下，恶意用户可能绕过客户端验证。

General validation at the point where data is submitted, for example in a web application some validation should occur on the client. The advantage being that you can quickly notify users of input issues, i.e. incorrectly formed telephone number, string too long etc. However this should not be relied upon to be a authoritative validation check as, in the case of a web application, a malicious user may bypass an client side validation.

在我看来，数据库不应该执行一般验证， / escaped / sanitized进入数据库之前。也就是说，你的数据库模式可以通过列数据类型，约束等给你一个抽象验证级别。这就是说，任何可能触发这些问题的数据在传递到数据库之前应该被清理。

In my opinion the database should not be performing general validation, data should be validated/escaped/sanitised before it goes into the database. That said your database schema can give you a level of abstract validation through column data types, constraints etc. That said, any data that could trigger issues with these should be 'cleaned' before it is passed into the database.

这说，有很多错误的方法，但没有正确的方法。验证取决于应用程序的体系结构，其中的数据的性质以及该数据的使用方式。

This said, there are many wrong ways but there is no right way. Validation depends on the architecture of your application, the nature of the data within in it and how that data is used.