Should you do validation on the server side?
Browser/client-side validation is a convenience. You cannot rely on it. You absolutely need to duplicate any client-level validation with server-side validation.
Well, fine, all YOUR code is correct. What happens when a hacker replaces your javascript with one of their liking, or just plain submit POSTs and GETs as if it were your code?
Validating at the client is a usability issue.
Validating at the point of USAGE is a security issue.
That last point is important, because if you do not validate at the point of usage, you are making your code highly coupled. If you change a module, it breaks things elsewhere because you validated at the wrong point.
For instance, you validate data against SQL injection before storing in a SQL database -- the library will do that for you if you choose a good one. You validate data against CSS when you display it as HTML. But if you expose the data it as XML, RSS or JSON, then the validation is different -- if you validated it just at input, you wouldn't prevent exploits for the other formats, AND your input routine would be tied to the output formats you choose.
I always view it as
- Client validation is for useability
- Server validation is for security.