[eluser]Atharva[/eluser]
Have you ever heard of 'Tamper Data' addon of firefox? It let's you (the user) tamper the HTTP/HTTPS headers and post parameters. So imagine you having a e-commerce website , user are choosing plans and paying for it. User selects plan x for amount y, which passes through javascript validation. Now user is smart, so he activates the tamper data plugin, which lets him tamper the $ amount for your product which is being sent via post method after submitting the form. He changes the amount from $100 to $1. You are a kind of developer who only relies on client side validation, so you do not bother to check in your php script that the amount is actually $100. You pass the tampered value $1 to paypal, and considering you are again too lazy to validate the paypal response in your ipn, the user succeeds in purchasing the item for just $1.
This is just a little example which shows what can be done if you lack server side validation.