Bill Clar wrote:Why is that?
Because it can always be circumvented. For example, if you're using Javascript validation it can be turned off. Or they can modify the Javascript on the fly. Or they can avoid using a web browser at all and just sent custom HTTP messages straight to your server.
You have no control over the client at all, so you can't make any assumptions about it. Client-side validation can be great for usability, but if it's for security or application integrity you have to do it server side.