Securing A Form From Input Type Hidden Injection

I have form with following input names:

  • task[title]

  • task[deadline]

  • task[content]

  • task[excepted_result]

In database in table there is also fields id and state. I don’t want give users ability to change state, but injecting <input type=“hidden” name=“task[state]” value=“you_been_hacked” /> using some browser’s Developers tools (F12) can easily breach security of default Gii generated model. What a best practices to protect against such injections?

Haven’t found answer here:

Securing Attribute Assignments

Thank you! It is exactly vulnerable from so called "massive assignment".

But how to split rules to two categories? I want to apply certain rules at massive assignment and other rules at validate() before saving data to database. Is following code valid for this task:

if(isset($_POST['Task'])) {

    $model->scenario = 'createTask';


    $model->scenario = 'validateTask';

    if($model->save()) { // save() will call beforeValidate() and each validate() of 'validateTask' scenario





public function rules()


    // NOTE: you should only define rules for those attributes that

    // will receive user inputs.

    return array(

        array('title, deadline, excepted_result', 'required', 'on'=>'createTask, validateTask'),

        array('state', 'validateState', 'on'=>'validateTask'),

        array('deadline', 'integerOnly'=>true, 'on'=>'createTask, validateTask'),

        array('title', 'length', 'max'=>50, 'on'=>'createTask, validateTask'),

        array('content, excepted_result', 'length', 'max'=>4000, 'on'=>'createTask, validateTask'),

        array('title, deadline, content, excepted_result', 'safe', 'on'=>'createTask'),