I would like to know the best pratices regarding post data injection when using the $model->attributes = $_POST[‘foo’]; feature.
Currently I unset variables with unset($model->id) to make sure the user doesn’t set fields he isn’t allowed.
Is this the way to go or is there a more ‘proper’ one?