In order to obtain an immediate response to incorrect form input,
many developers employ client-side scripting. While this is
a great tool and should certainly be employed where applicable,
it's no substitute for good server-side validation.
Suppose a particlarly obstinate user doesn't like your
validation code. What's to stop them from disabling
they like and your validation code will never run.
Let's take this scenario to the next level. You decide to
modify your form to use the OnClick event of your submit
button in order to submit the form. At first, this would appear to
solve the problem by requiring client-side script execution
in order to even get the data to the server, but does it really?
Nope... not only have you now upset all your users
who don't have client-side scripting enabled, you haven't solved the
fundamental problem. There's nothing to stop our
crafty hypothetical user from saving the HTML source of your
form, modifying it to do
whatever they want, and then using their browser to
submit it back to your server!
So the lesson here is... use server-side validation for
everything that's important. Client-side validation works
great as an additional check and to provide clients with a
richer web experience, but when it comes down to it you
can never really tell what's being sent to your server
unless you take the time to look.