The short answer is that you should verify everything on the host (PHP), as there is no guarantee that your users have JavaScript enabled (or that a hacker is sending his own http requests). That being said, if you don't actually care what a user enters (or doesn't enter) for some field, then I suppose you don't have to validate it -- though that sort of begs the question as to why you care enough to write the JavaScript validation in the first place if it doesn't really matter to you.
