It seems easy to blame the magic finders for this (because they seem magic), or ActiveRecord alone, but really the problem is that 'secure by default' can trick you into thinking the framework will do it all for you.
It probably will most, if not all, of the time for you. But the complexity of such things understandably means there will be obscure vulnerabilities that are hard to track down.
Sanitising -- and even validating -- your params at the controller level is a nice way to stop some of these problems before they reach your models.
It probably will most, if not all, of the time for you. But the complexity of such things understandably means there will be obscure vulnerabilities that are hard to track down.
Sanitising -- and even validating -- your params at the controller level is a nice way to stop some of these problems before they reach your models.