> Nobody here sees the irony in Rails redoing what PHP was ridiculed for for so long? Never. inject. user. input. by. default.
To me the idea of even having such a feature *not* enabled by default seems insane to me. People cannot be trusted to use it responsibly. You can argue all day that it's the developer's responsibility and not the frameworks to ensure security but that's not going to stop an endless stream of security bugs. I suppose a giant screaming warning that gets emitted on every page load, warning the developer "if you even think of enabling this hack on a publicly accessible site then you are an idiot", *might* be sufficient.
BTW, the problem is even deeper than not injecting user input. You can't trust *anything* in the HTTP request, the user (i.e. potential attacker) has total control over it. Using content in the HTTP request to decide which DB fields to update is utterly and completely insane.