How can i prevent specific fields from updating

I am asking this not only to do what i want but also learn:

For example:

I have 5 fields in my ProfileInfo (table & model) where one of them is ofcourse "user_id"

I am not listing user_id field in the form view. But what if an attacker adds that field? So i have to check for it in the code. (I can hear that you are saying AuthManager, but please ignore it for this one, as i’m trying to find out something)

I don’t want to do

if($model->user_id>0 && $model->user_id!=Yii::app()->user->currentUser()->user_id){

   //exit

}

I have to check because i’m using $model->save()…

If i use $model->saveAttributes() and add only the fields in the form, i think it will be safe, since whatever they enter will be ignored.

What is the correct way to do it?

(don’t think about it just user_id, as i can overwrite easily by $model->user_id=Yii::app()->user->currentUser()->user_id)

I don’t want to make a blacklist and only whitelist (:

Only way is saveAttributes i think… right?

I’ve gone into the following way. What do you think?

            if($model->validate())

            {

                //$model->setPrimaryKey(Yii::app()->user->currentUser()->user_id);

                $model->setIsNewRecord(false);

                $model->user_id=Yii::app()->user->currentUser()->user_id;

                

                $model->saveAttributes('favorite_book'=>$model->favorite_book,'favorite_movie'=>$model->favorite_movie);

                Yii::app()->user->setFlash('pageinfo','Profile updated');

                $this->refresh();

                return;

            }

Did you read about safe attributes? You can set all fields’ values using massive assignment, but only those attributes which are listed in validation rules, will be assigned.

So i have to remove “array(‘user_id’, ‘numerical’, ‘integerOnly’=>true),” from my Profile model, right?

right