The validator controls that can be used for asp.net input validation... requiredfieldvalidator regularexpressionvalidator etc
Do they perfrom validation on the client side AND server side or do I need to have seperate validation in my codebehind to validate on postback (ie to prevent POST injection)?
They perform both.
The validation framework that has been implemented in asp.net was designed to work both client and server side.
If you have used these validators, you do not need to write additional server side code that repeats this validation.
IIRC, they are validate on both the client and server side by default. EnableClientValidation is the property to set to disable client side validation.
You should always validate at the client and again on the server.