I usually use XML validation unless the validation logic is fairly complex, then I override the validation method.
The "best" validation strategy is the one that fills your requirements. It may seem confusing when you are just starting out, but one day you'll be glad you have a flexible framework.
Validation should always occur on the server regardless of whether any client-side validation takes place. Client-side validation is easy to circumvent.
Client-side validation helps with the user experience (quick feedback, no server round-trip) but should never be relied upon. The server code should always pretend that client-side validation does not exist.