[eluser]kgill[/eluser]
Just a quick addition here regarding validation callback functions - yes they're public but how is that a security risk?
An attacker can manipulate the URL to call one but they gain nothing by it. The function returns a boolean, that value is not viewable unless you did something silly like echo it out. So at most they can pass some value to your callback and get a blank page back. The value returned by the function is only useful to other PHP code executing it and if the attacker has the ability to execute code on your server a callback function is the least of your worries at that point. The only possible problem is someone not putting the proper checks on the input to the callback and just executing a call to the database with it, in which case it comes back to what Flayra said, that's a problem with the developer and not the framework.
- K
