But that is an overreaction. The find_by_* dynamic handlers have always accepted strings and integers, by design. What's insecure about User.find_by_id("27")?
What people seem to be reacting to is the idea that User.find_by_id(params[:id]) is exploitable because you can coerce params[:id] into a hash instead of a string (by using a query string like ?id[select]=some_thing_here instead of ?id=27). True, but what most people here are overlooking is that User.find_by_id actually rejects these hashes because their keys are strings and not symbols. Try it out.
This vulnerability can be coupled with other vulnerabilities (like having someone's session secret, which is a much worse vulnerability IMO), but people are talking about it as if you can do something nasty with it by itself alone. That's why it's an overreaction.
This is a much more subtle SQL injection.
I believe the takeaway is that too much magic is a bad thing when it obscures the underlying behavior.
Post.find_by_id( ) accepts an argument. Here are some normal assumptions:
1. It might only take a number
2. The method might coerce it to a string or integer for you
3. The method might not coerce it.
4. The method might throw an error if it isn't an int or the object isn't found.
5. The parameter is treated like a hash and used for lookups.
This last one seems a bit too much magic to me. I wouldn't even guess that last one as normal, expected behavior.