Assuming something like
$model = new ActiveRecordModel();
$model->attributes = $_POST['form'];
$model->save();
Are there any risks of SQL injection? XSS might happen depending on how the data is later shown, of course.
The model has validation rules for all attributes.