[SpoonMeiser]

Is it just me, or doesn't this sound very similar to SQL injection, only as applied to an ORM instead?

That is, if my understanding is correct, they're taking user posted data and trivially turning it into a command to update data.

This doesn't sound like a problem with Rails, in the same way that if I turn data I receive from the user straight into an SQL statement, the fact that people can abuse it isn't a problem with SQL.

[tedunangst]

It's a problem with Rails because Rails provided the update facility that takes user data and told people "if you use this, you can build a blog in 15 minutes." If you're turning user data into SQL, at least you're the one who wrote the code. Your database didn't come with a parse POST and update table function.

[einhverfr]

They are both confused deputy problems so they are both pretty similar. I think you are right to point out the similarity.

I have seen worse though :-P

[javascriptlol]

SQL injection is a problem with the way database libraries are designed. Just because some idiotic piece of design has persisted for years doesn't change what it is: a vulnerability.