I would go as far as to say every single [beginner] user of Rails too. If it wasn't for all this, I'd never have known there was a gaping exploit I'd need to patch up in my own app in development.
This, in and of itself, is a major flaw in their documentation. It's like PHP's mysql functions not mentioning escaping strings on their manual pages, but instead burying it all entirely elsewhere, where you'd never think of looking.
"You should have read every single page of the documentation, then you'd know we briefly mentioned mysql_real_escape_string() and prepared statements that prevents this issue."
I mean, the least you can do if you won't provide a fix, or sensible defaults, is to make it abundantly clear you have to correct it yourself. (Bit of a broken record with this schtick, sorry!)
This, in and of itself, is a major flaw in their documentation. It's like PHP's mysql functions not mentioning escaping strings on their manual pages, but instead burying it all entirely elsewhere, where you'd never think of looking.
"You should have read every single page of the documentation, then you'd know we briefly mentioned mysql_real_escape_string() and prepared statements that prevents this issue."
I mean, the least you can do if you won't provide a fix, or sensible defaults, is to make it abundantly clear you have to correct it yourself. (Bit of a broken record with this schtick, sorry!)