public function researchersave() { # note that all this input is relatively free form so just having the db escape it is ok $r = new Researcher(); $rid = $_SESSION['user']['researcher_id']; $r->upd($rid, $_POST); $_SESSION['user'] = $r->getone($rid); return 'researcher.tpl'; }