From what I've seen after quickly browsing through the sitealizer
(http://sitealizer.rubyforge.org/) source, it'll make the whole application vulnerable to SQL-injection attacks. All HTTP params are passed directly into SQL calls without quoting.
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks