If you aren't sanitizing and checking the inputs appropriately somewhere between the user and trusted code, you WILL get pwned.
Rails provides default ways to avoid this, but it makes it very easy to do whatever you want with user input. Rails will not necessarily throw a warning if your AI decides that it wants to directly interpolate user input into a sql query.
Well in this case, I am reading through everything that is generated for Rails because I want things to be done my way. For user input, I tend to validate everything with Zod before sending it off the backend which then flows through ActiveRecord.
I get what you're saying that AI could write something that executes user input but with the way I'm using the tools that shouldn't happen.
