How to use wildcards in an active record where clause while protecting against sql injection
You should modify your query like this
User.where("first_name LIKE (?)", "%#{first_name}%")
Update: Rails has improved this some.
Arel allows you to build queries with a simple DSL, and as a bonus, it's included in ActiveRecord. Here is an example for your use case.
User.where(User.arel_table[:first_name].matches("%#{first_name}%"))
This will do a case-insensitive search using ILIKE
instead of LIKE
.
Also want to note that Arel is internal to Rails and purposefully not exposed by the framework.