NEVER NEVER NEVER NEVER NEVER do your validation on client side only.
Your opening yourself up for major issues. Client side validation should serve the sole purpose of enhancing user experience (Avoiding the postback before errors are displayed). You should never rely on validation that the user can disable. As Mac has pointed out, you can inject both post and get requests. I've seen injections in all sorts of places, cookies, user agent, referrer, pretty much anything that's sent in the header. Querystring and post data are not even the only places you should be validating.
Rule of thumb,
assume all input is hostile.
Security should be part of the actual core design, the main problem most enterprise applications face are exactly that, security was added as an afterthought which leaves the applications with huge exposure. This isn't even touching validation for things like cross site scripting, file inclusion vulnerabilities or even sensitive information disclosure that could lead to exploitation.