How much data validation is enough for your web applications? Do you trust client side code to do it? Do you validate at every level?

Personally I think client side is ok for some simple validation and formatting, but trust nothing sent from the client. It's far too easy to write code that changes the form, data sent from the form, etc.

I like to validate everything sent from the client in my asp/jsp/whatever stripping out the bogus characters for the expected data type, trimming it down to the appropriate number of characters or bouncing the user with an error message if necessary, and doing an explicit conversion to the data type I need. I strip out all code delimiting characters and make the appropriate conversions to keep my sql or other code from blowing up. Also I use constants to limit the size of the text boxes and then validate the amount of data sent from the client against those constants and take appropriate action if too much is sent.

Then the data is validated in the com component or other code that talks to the asp/jsp/whatever before sending it off to the database. Same kind of thing, check it's size, type, validity (positive, negative, numerical, etc).

I usually have a nice utils include that holds validation functions of every variety such as validateemail(), validatelong(), etc. for both the web and something similar for the compiled code.

What do you do?