This is well documented and doesn't happen with good web practices. If you accept and trust user input, you fail.
Summary of the exploit: If you accept a username from a browser that is (artificially, maliciously) submitted in a typed fashion (as a number or bool), and accept it as such, implicit conversion kicks in.
Both Rails and MySQL perform implicit conversion, so if you sanity check your apps to make sure the string you get from your browser or web service is in fact a string, there is no problem.
I don't use MySQL because for reasons just like this - so I'm not all that surprised. That said - it would be interesting to see Devise put to the test to see if it is indeed a problem for Devise.
Summary of the exploit: If you accept a username from a browser that is (artificially, maliciously) submitted in a typed fashion (as a number or bool), and accept it as such, implicit conversion kicks in.
Both Rails and MySQL perform implicit conversion, so if you sanity check your apps to make sure the string you get from your browser or web service is in fact a string, there is no problem.
Or do you trust your web users?