All user input needs to be considered malicious until you evaluate
otherwise. The use of params[:id] as in your example is a prime example
of this problem - you are responsible for either (1) verifying that the
user owns the ID when the update is called, or (2) prevent the problem
altoghether by using something other than a URL-based ID to identify
the record (such as by using a session variable rather than the ID
parameter to "remember" the id of the record that is to be updated).
There is no built-in magic in rails to manage this problem for you.....