Is this a BUG in [Phalcon\Mvc\Model::create($data = null, $whiteList = null)]?

$school = new Schools();
foreach($_POST as $k=>$v) {
    $school->$k = $v;
}
if ($school->create()) {
    $this->flash->success('ok');
} else {
    $this->flash->success('exists');
}

This works OK.

BUT

$school = new Schools();
// foreach($_POST as $k=>$v) {
//    $school->$k = $v;
// }
if ($school->create($_POST)) {
    $this->flash->success('ok');
} else {
    $this->flash->success('exists');
}

will update the record already exists without check.

  1. Dont ever use POST array ! There are $this->request->getPost() method - use it. Also use whitelist - it will prevent passing data to model you dont want to, i defining whitelist just in model and getting it when creating.
edited Oct '15

It's just a example,but thanks a lot and will remenber it. I‘ve read the source,just check the metaData and no check for data and whitelist. https://github.com/phalcon/cphalcon/blob/master/phalcon/mvc/model.zep

  1. Dont ever use POST array ! There are $this->request->getPost() method - use it. Also use whitelist - it will prevent passing data to model you dont want to, i defining whitelist just in model and getting it when creating.