Iterating through a form's $_POST

[eluser]Michael Wales[/eluser]
pyro - I'm not seeing how that would prevent this type of vulnerability. Let's say your Category model had a field called permissions - which defined who was allowed to edit it.

Scenario:

Your fields array would then include this new permissions field (assuming you had a reason to edit it via the web interface, maybe you have an admin area or something).
The malicious user injects this variable into the $_POST array.
You loop through the fields array, dropping all of the established variables into the row array.
You insert this data into your table - which now includes the permissions field you were not expecting (because it's not in your form, but the user included it).

I do think you are on to something here though (it just needs to be moved to the method level, not the class level) - and to be honest, I never thought of looping through like that - it would save a lot of typing time on my end. I'm going to go back and edit my current project to use this particular method.

But, what if you defined the fields array for each method? Therefore, you are limiting what can/can not be placed within the database. To mimic the scenario I outlined above:

Your method's field array only contains catID, cat_name, and cat_description - since that's all the user can edit via this particular method.
Malicious user injects his variable.
You loop through all of your editable fields, as defined in this method, and the one he injected gets set to FALSE, NULL, '' - whatever.
All is well in the world.