Securing A Form From Input Type Hidden Injection

I have form with following input names:

• task[title]

• task[deadline]

• task[content]

• task[excepted_result]

In database in table there is also fields id and state. I don’t want give users ability to change state, but injecting <input type=“hidden” name=“task[state]” value=“you_been_hacked” /> using some browser’s Developers tools (F12) can easily breach security of default Gii generated model. What a best practices to protect against such injections?

Haven’t found answer here:

http://www.yiiframework.com/wiki/275/how-to-write-secure-yii-applications/

Securing Attribute Assignments

Thank you! It is exactly vulnerable from so called "massive assignment".

But how to split rules to two categories? I want to apply certain rules at massive assignment and other rules at validate() before saving data to database. Is following code valid for this task:

if(isset($_POST['Task'])) {

    $model->scenario = 'createTask';

    $model->attributes=$_POST['Task'];

    $model->scenario = 'validateTask';

    if($model->save()) { // save() will call beforeValidate() and each validate() of 'validateTask' scenario

        $this->redirect(array('viewTask','id'=>$model->id));

    }

}

Model:

public function rules()

{

    // NOTE: you should only define rules for those attributes that

    // will receive user inputs.

    return array(

        array('title, deadline, excepted_result', 'required', 'on'=>'createTask, validateTask'),

        array('state', 'validateState', 'on'=>'validateTask'),

        array('deadline', 'integerOnly'=>true, 'on'=>'createTask, validateTask'),

        array('title', 'length', 'max'=>50, 'on'=>'createTask, validateTask'),

        array('content, excepted_result', 'length', 'max'=>4000, 'on'=>'createTask, validateTask'),

        array('title, deadline, content, excepted_result', 'safe', 'on'=>'createTask'),

    );

}