should user submitted values always be validated through php even if they're already validated trough JavaScript? Please suggest