Hypothetically a hacker could turn off java-script and use an older browser to get by the validations and php are foolproof. But realistically why would someone purposefully hack your page just to leave fields blank, so on this page server validations aren't necessary. There might be some circumstances where server validation is still relevant to prevent hacking.