Anything client-side can be disabled by the user. Server-side checks cannot.
Don't believe that a form will always validate when the submit button is clicked. This next snippet of code, pasted in the location bar of a user's browser and then run, overwrites the onClick event on all forms on a page:
document.forms[i].onsubmit=null; void 0;