In Rails, the database connection hides behind an adapter. This adapter allows you to execute queries, but you cannot bind variables in a safe manner where the database driver does the escaping for you. Not something you want in a web-application where SQL injection should be on the top of your list of concerns.

Here's a little snippet of code to put in lib/adapter_connection.rb of your RAILS_ROOT to be able to obtain the true connection and start binding and escaping.