Why should I not trust the data coming from a form? I’m watching a tutorial on how to make a login page with PHP and it says the same thing, but I’m not sure why. Is it SQL injection?
In addition to what Randall said…
People can submit POST data straight to your backend program, without going through your webpage online form (with it’s JS validation). So this direct POST will not be validated by your JS.
So it’s still important to do/repeat the validation on the server side.