ChatBox is nifty. Try it out here.

I recently went through a live training session, and some videos involving Grails. I was surprised to see that bulk assignment to domain objects appeared to be common practice in the training materials. In other words, account.properties = params appeared to be the idiomatic way to update a domain object with new values from a web request. The problem with doing that, of course, is that an end-user can submit whatever form fields they choose, and easily change database fields you hadn’t intended for them to change. Fundamentally, this is the same problem PHP was accused of being very insecure...