Recently, Github was hacked by a developer exploiting mass-assignment vulnerability.
Since yii uses white-list technique for mass assignment (every attribute must have validation associated with it or must be explicitly defined as safe for mass assignment to work), we are safe. Though, it is not the problem with RoR itself, frameworks should make the developer hard to make mistakes by enforcing such good practices. Thanks Yii.
When I started using Yii and learned about CModel property assignment, it seemed obvious to me that this could be exploited. I immediately turned to the source code to confirm that Yii was safe by default, and it was. (this is a common thing, everytime I wanted to confirm something in Yii, it was always done the Right Way).
Seems like in Rails they are too lazy to put each attribute on a whitelist. I don’t know if I can trust a Rails application anytime soon.
Rangel Reale
Actually it was the same as in Rails in Yii 1.0 but then Yii team realized what it can lead to and changed it.
Was it really? As far as i remember, the only difference to now was, that definition of safe attributes and validation rules where separated (rules() and [url="http://www.yiiframework.com/doc/api/1.0/CModel#safeAttributes-detail"]safeAttributes/url). In 1.1.x they where both combined into 1 method. In fact i still think that it was better before. Because for complex models with many scenarios and many attributes rules() can become quite bloated now. One reason why i often override getSafeAttributes() in my models again.
You’re right. It was good in 1.0 as well 