Whitelist and typecheck your parameters at the controller level
None
David Heinemeier Hansson, Aaron Weiner