Validation of a form

should user submitted values always be validated through php even if they’re already validated trough JavaScript? Please suggest

They should ALWAYS be validated and sanitized server side in PHP (or whatever the server-side language happens to be). Javascript can be usefull for submitting each field to be validated and sanitized by PHP as it’s filled in. Never, ever trust any data that has been submitted by the user in any way (GET array, POST array, cookies, etc).

I don’t know how to validate a site’s form.

@raudpkumm ;
http://php.net/manual/en/function.filter-var.php

The question is filter_var is enough?

Yes indeed, as explained above. JS validation is just for convenience (user gets prompted without page refreshes). But the user can turn off JS with the click of a button, and bots can bypass it too. So in terms of security, it’s like putting a protective fence around your house by no lock on the gate.