I've been scouring the web for suggested Rails defenses against SQL injection, but I haven't found much on the object creation part. Certainly using attr_protected, etc., is a good way to prevent unwanted fields from being modified on the new object (if you're passing a hash as creation parameters), but what about escaping the POSTed info before saving? Couldn't you POST some SQL injector evilness into an 'allowed' field and terminate the INSERT and maybe run some DELETES, etc.? Are people who pass the whole params hash setting themselves up for SQL armageddon?
Let me know if I've got it all wrong. And if there are built-in (or otherwise easy) ways to deal with *all* such potential threats, that would be good to know, too.