I think it might be worth your time to double check your attr_accessibles. Just:

  grep attr_accessible app/models/*rb 

Everything that comes up on that list, you should be comfortable with users giving any value they want to; that's what attr_accessible (effectively, not literally) means: "I give up any control of how these attributes will be set".