According to http://guides.rubyonrails.org/security.html#countermeasures you're entirely correct that it won't raise any error, although the keys won't be dropped: attr_accessible drops the attributes when mass-assigned to a model, they're still available in the params hash.