Your application is the M. It should be able to stand independent from V and C. V and C form the User Interface to your application. Whether this is a web interface or a command line interface shouldn’t matter for the core business logic of your application to run. You want the model to be fat with business logic.
If you have a fat controller instead, e.g. full with business logic, you are not adhering to the purpose of MVC. A controller’s sole responsibility is handling and delegating UI requests to the Model. That’s why it should be skinny. It should only contain code necessary for what it’s responsible for.
Simplified Example
public function fooAction()
{
if(isset($_POST['bar'])) {
$bar = Sanitizer::sanitize($_POST['bar']);
$rows = $this->database->query('SELECT * from table');
try {
foreach($rows as $row) {
$row->foo = $bar;
$row->save();
}
} catch (Exception $e) {
$this->render('errorPage');
exit;
}
$this->render('successPage');
} else {
$this->render('fooPage');
}
}
When it should be
public function fooAction()
{
if(isset($_POST['bar'])) {
$success = $this->tableGateway->updateFoo($_GET['bar']);
$page = $success ? 'successPage' : 'errorPage';
$this->render($page);
} else {
$this->render('fooPage');
}
}
because that’s all the controller needs to know. It should not update the rows. It should just tell the model that someone requested this change. Updating is the responsibility of the class managing the rows. Also, the controller does not necessarily have to sanitize the value.
As for Q2 and Q3, please see my answer to Can I call a Model from the View.