I'm a senior developer and I can assure you that stuff like "if I put a semicolon in the URL, how does it respond?" never works on my software. It doesn't because as a general rule I sanitize all input or rely on the stack to do it for me, but in general I know which parts of the stack are doing sanitization to lift that burden from me.
That doesn't mean my software is secure. Unfortunately some bugs are far more subtle, including the recent Rails exploit. So on one hand I trust Rails even more, precisely because such problems are found and fixed. But on the other hand this does open you up to mass exploits, which does give me the shivers.
So it really depends on how much effort you're spending on your app. If you actively maintain your app then you can take notice of zero day exploits and upgrade ASAP. But if you want a worry-less app that you don't want to maintain, a more custom stack is more suitable.
Case in point, Wordpress is the most popular blogging platform in the world. It's also the most targetted and shitty weekend blog implementations are far less likely to get hacked.
That doesn't mean my software is secure. Unfortunately some bugs are far more subtle, including the recent Rails exploit. So on one hand I trust Rails even more, precisely because such problems are found and fixed. But on the other hand this does open you up to mass exploits, which does give me the shivers.
So it really depends on how much effort you're spending on your app. If you actively maintain your app then you can take notice of zero day exploits and upgrade ASAP. But if you want a worry-less app that you don't want to maintain, a more custom stack is more suitable.
Case in point, Wordpress is the most popular blogging platform in the world. It's also the most targetted and shitty weekend blog implementations are far less likely to get hacked.