[eluser]BrianDHall[/eluser]
[quote author="KarlFranz" date="1256931750"]It's seen logic to me, but CodeIgniter programmer put all validation in controller, that's my problem.
Why put the validation in controller and expose you by high risk of backdoor code passing direcly by the model without validation.
Somebody can explain to me, why make model without any validation to protect your data (add/edit) no filter (get/list)
sorry, I think my english is so worst this morning.[/quote]
I actually agree, and don't use validation on my controller. I use Datamapper OverZealous Extension (DMZ), and it by convention uses something very much like the form validation class built entirely in the Model. I don't really write much of any validation in the controller any more, it seems so much better to do it in the model that I don't know why anyone would want to do it in the controller anymore.
So I just load $_POST into my model object and let it figure out if something passed to it was improper or insecure. I think that's the models job - to handle data. This logically should include keeping the data safe, valid, and secure.
Don't confuse others bad practice (copy/pasting validation rules into controllers all over the place) with CodeIgniter.