George -
All user input needs to be considered malicious until you evaluate otherwise. The use of params[:id] as in your example is a prime example of this problem - you are responsible for either (1) verifying that the user owns the ID when the update is called, or (2) prevent the problem altoghether by using something other than a URL-based ID to identify the record (such as by using a session variable rather than the ID parameter to "remember" the id of the record that is to be updated).
There is no built-in magic in rails to manage this problem for you.....