How to use wildcards in an active record where clause while protecting against sql injection

You should modify your query like this

User.where("first_name LIKE (?)", "%#{first_name}%")

Update: Rails has improved this some.

Arel allows you to build queries with a simple DSL, and as a bonus, it's included in ActiveRecord. Here is an example for your use case.

User.where(User.arel_table[:first_name].matches("%#{first_name}%"))

This will do a case-insensitive search using ILIKE instead of LIKE.

Also want to note that Arel is internal to Rails and purposefully not exposed by the framework.