[eluser]Negligence[/eluser]
Step 1: Validate it by content, type, length, etc.
Step 2: Send it to the Model
Step 3: If not using Active Record, PDO, etc., sanitize the values.
Step 4: Parse the values into the query.
There's nothing wrong with sending $_POST to the database, just as long as its sanitized beforehand.