Oh, and it seems the client can bypass the required fields before sending, which they shouldn't be able to do. We can't, but they can.
Yay.