Massive assignment is: $model->attributes = $_POST[‘table’]. It’s just a loop. If $_POST[‘table’] array’s key ‘attributeName’ is “safe” for $model, then it will be assigned (same as $model->attributeName = …).
Assume, that all attributes are safe and your model has property “createTime”, which must be assigned only by your program. Now, bad guys can send a POST variable createTime = 666. It will be successfully assigned and saved, and it is not good