How to prevent post data injection with $model->attributes?

I would like to know the best pratices regarding post data injection when using the $model->attributes = $_POST[‘foo’]; feature.

Currently I unset variables with unset($model->id) to make sure the user doesn’t set fields he isn’t allowed.

Is this the way to go or is there a more ‘proper’ one?

Safe Attributes

You need to read the guide about massive assignment and safe attributes -