diff --git a/backend/src/routes/addresses.js b/backend/src/routes/addresses.js
index 3cf7fac..33927f9 100644
--- a/backend/src/routes/addresses.js
+++ b/backend/src/routes/addresses.js
@@ -10,9 +10,24 @@ const router = Router();
 const hashCode = (code) => createHash('sha256').update(code).digest('hex');
 
 router.post('/change-request', requireAuth, async (req, res) => {
-  const parsed = z.object({ newAddress: z.string().min(10) }).safeParse(req.body);
+  const parsed = z.object({ newAddress: z.string().min(10).max(500) }).safeParse(req.body);
   if (!parsed.success) return res.status(400).json({ error: parsed.error.flatten() });
 
+  // Check if user already has an address
+  try {
+    const [existingRows] = await pool.query(
+      `SELECT id FROM addresses WHERE user_id = ? LIMIT 1`,
+      [req.user.userId]
+    );
+
+    if (existingRows.length === 0) {
+      return res.status(400).json({ error: 'User must have an existing address to request a change' });
+    }
+  } catch (err) {
+    console.error('Error checking existing address:', err);
+    return res.status(500).json({ error: 'Internal server error' });
+  }
+
   const verificationCode = String(randomInt(100000, 999999));
   const verificationCodeHash = hashCode(verificationCode);