I have been using PHP for 4 years, and Ruby and RoR for a month or so.
And I have noticed this pattern:
In PHP frameworks, creating an object with raw $_POST is as common as in Rails (params), because it's faster for the developer. Of course, it's a known bad practice, and is discouraged.
The difference is that when a php developer makes this mistake, people say it's because php developers are all noobs and php is crap.
Now, when a Rails developer makes the very same mistake, it gets fancy names like 'mass assignment vulnerability', and by what I read in the comments on github, they are fully convinced that no other framework has this 'vulnerability', because no other framework has this feature of 'mass asignment'.
Yep, this bothers me too. attr_accesible is to Rail's what magic_quotes_gpc was to PHP: a terribly misconceived 'helper' feature that is almost designed to trip up beginners in the worst way.
Of course, that GitHub should get caught by it is alarming.
Even with good knowledge of a system people forget things. The blame for this incident falls 100% on rails and its awful design. It's like blaming the driver for crashing your car whose brakes can silently and unpredictably fail unless you press some button when you first get into the car. Critical failure points should be isolated aggressively. Many software "engineers" have not yet grasped this.
People do not learn from the past. People will keep reinventing these kinds of bad designs, and we will have security holes in web apps until it stops.
And I have noticed this pattern:
In PHP frameworks, creating an object with raw $_POST is as common as in Rails (params), because it's faster for the developer. Of course, it's a known bad practice, and is discouraged.
The difference is that when a php developer makes this mistake, people say it's because php developers are all noobs and php is crap.
Now, when a Rails developer makes the very same mistake, it gets fancy names like 'mass assignment vulnerability', and by what I read in the comments on github, they are fully convinced that no other framework has this 'vulnerability', because no other framework has this feature of 'mass asignment'.