I recommend preloading the input component, then enable global post/get cleaning, this way you have nothing to worry about, even if $_GET/$_POST is used directly.
Next, in controllers, you can do smth like, i don’t think that is a security risk or something:
$model->attributes=Yii::app()->input->post(get_class($model));
$model->save();
Another good way is to overwrite the CModel::setAttributes() ( http://www.yiiframework.com/doc/api/1.1/CModel#setAttributes-detail ) method, something like:
public function setAttributes($values,$safeOnly=true)
{
if(!is_array($values))
return;
$attributes=array_flip($safeOnly ? $this->getSafeAttributeNames() : $this->attributeNames());
foreach($values as $name=>$value)
{
if(isset($attributes[$name]))
$this->$name=Yii::app()->input->stripClean($value);
else if($safeOnly)
$this->onUnsafeAttribute($name,$value);
}
}
Then when massively assigning attributes, those will be sanitized(though if you enable global post/get cleaning, this makes no use)
Also, you can create a behavior class, extending CActiveRecordBehavior and use the beforeSave()/beforeValidate() event handler to clean the attributes.
There are many ways to accomplish this, as you can see, but the idea is that you need to be sure that when your attributes are being saved into database, they are in a clean state.
Personally, i use a behavior that i attach to each model, and that behavior binds to CActiveRecordBehavior::beforeValidate()/CActiveRecordBehavior::beforeSave() and cleans the data.
Whichever you’d choose, have in mind that if you use wysiwyg editors, you’ll need to treat those attributes in a special manner, (those attributes needs to be cleaned with the CmsInput::purify() method because you’d want to keep the html content, therefore you’ll have to make use of CmsInput::getOriginalPost()/CmsInput::getOriginalGet() to retrieve the original values and clean them with CmsInput::purify())