Which Layer is the Right Layer?
Other scenarios might include ensuring something was in the shopping cart before checking out, verifying that a product could be added to the cart right away, and other issues that should be handled right away rather than waiting until the user tries to finalize an action or submit a set of data.
The API Layer
The Database Layer
Surely by this point you trust the data coming into the database, right? Not so fast. The answer is more a “probably” rather than a firm yes. Think for a minute about your application. Is it the only one that will put data into the database? Ever? If you answer yes to that question, your application is either really small or hasn’t been around long enough for you to see the long-term use. Your application is not directly tied to your database. They are loosely coupled (hopefully). That means other things can and probably will use just your database (reporting servers, new third-party applications you acquire, etc.) That means you won’t always be in control of what updates your database. You also won’t be in control if a user captures your database credentials and uses them directly. That is why your database too needs at least some basic validation. That may include foreign keys and referential integrity, it may mean limited access accounts, or it may mean logic in stored procedures.
The Bottom Line