F3 and POST data using ORM

[solo]

Hi all, I am new to F3, somewhat new to PHP as well.  Just learning / doing some test webpages for myself.  Currently I'm setting up simple login infrastructure with sessions, and the ability to register.

What I would like to know is if I can pass POST data directly to the F3 ORM, and be confident that all of the sanitizing happens within F3 behind the scenes.  Further, as I have read in the docs it is best practice, if using "CopyFrom", to explicitly define all of your form fields.   Finally, I last wonder if it is OK practice to save the hashed password back to the POST variable instead of something else local/private.  Nevertheless, I have as follows:

 $this->f3->get('POST.password') = password_hash($this->f3->get('POST.password'), PASSWORD_DEFAULT);

 $user->reset(); // Make sure nothing is selected

// Now save all variables of identical naming into the database.
$user->copyfrom($this->f3->get('POST'),function($values) {
    // the 'POST' array is now passed to our callback function.
    return array_intersect_key($values, array_flip(array('email', 'phone', 'first_name', 'last_name', 'password', 'address', 'city', 'state', 'zip', 'gender', 'birthday')));
});

$user->save();

Thank you for all comments and advice!

[ved]

Copyfrom should sanitize the data correctly and be safe from sql injections.

That being said, sanitizing doesn't mean it's 100% safe for your app. For example, it doesn't check string length, allowed/forbidden characters for your app, if the field actually exists, etc.

As for the password question, it should be safe to add it to the POST array if you're going to use copyFrom. At that point POST is just another array that you'll process almost immediately after and will eventually be cleared on subsequent requests.