I am asking this not only to do what i want but also learn:
For example:
I have 5 fields in my ProfileInfo (table & model) where one of them is ofcourse "user_id"
I am not listing user_id field in the form view. But what if an attacker adds that field? So i have to check for it in the code. (I can hear that you are saying AuthManager, but please ignore it for this one, as i’m trying to find out something)
I don’t want to do
if($model->user_id>0 && $model->user_id!=Yii::app()->user->currentUser()->user_id){
//exit
}
I have to check because i’m using $model->save()…
If i use $model->saveAttributes() and add only the fields in the form, i think it will be safe, since whatever they enter will be ignored.
What is the correct way to do it?
(don’t think about it just user_id, as i can overwrite easily by $model->user_id=Yii::app()->user->currentUser()->user_id)
I don’t want to make a blacklist and only whitelist (:
Only way is saveAttributes i think… right?