Assuming you're using a pattern close to MVC
The input validation is relevant to the controller part. It's up to your controller to process data, then display user friendly error message by passing these errors message to your view. Any processing have to be done in the controller and validating data is processing.
Anyway, an extra security on model isn't a bad thing, but in this case it's totally useless because you database engine will truncate (or throw an error) if you're inserting more than 20 characters, so security is allready in place.
Models are only meant to acces and store data, not validate it! (Except some rare case when data storage need validation and when database structure don't check integrity by itself).
But again, these are just concepts, you're free to adopt concepts in the way you like. As long as you're consistent across your application (don't do some validations in models, some in controllers, and why not some in view if we are at that!)