Javascript runs on the client, and many browsers allow you to change javascripts, not just the variable values, but also inserting or deleting lines etc...
For this reason, you should always sanitize incoming data on the server side, even if it is coming from your own website.. In general, you should only consider javascript as a means to improve the UI and user's experience, but never as a means to validate, secure pages or do important business logic.
There are some handy functions included in PHP for handling variable validation