How does escaping work in Rails 3?

gistfile1.txt

bmaddy@foo:~/src/sandbox/console$ rails c
Loading development environment (Rails 3.0.4)
ruby-1.8.7-p330 :001 > User.count
 => 0 
ruby-1.8.7-p330 :002 > User.order("name; delete from users;--").to_sql
 => "SELECT \"users\".* FROM \"users\" ORDER BY name; delete from users;--" 
ruby-1.8.7-p330 :003 > User.order("?", "name; delete from users;--").to_sql
 => "SELECT \"users\".* FROM \"users\" ORDER BY ?, name; delete from users;--" 
ruby-1.8.7-p330 :004 > User.order(["?", "name; delete from users;--"]).to_sql
 => "SELECT \"users\".* FROM \"users\" ORDER BY ?, name; delete from users;--" 
ruby-1.8.7-p330 :005 > User.create :name => "Capt. Awesome"
 => #<User id: 2, name: "Capt. Awesome", created_at: "2011-02-11 16:57:35", updated_at: "2011-02-11 16:57:35"> 
ruby-1.8.7-p330 :006 > User.count
 => 1 
ruby-1.8.7-p330 :007 > User.order("name; delete from users;--")
 => [#<User id: 2, name: "Capt. Awesome", created_at: "2011-02-11 16:57:35", updated_at: "2011-02-11 16:57:35">] 
ruby-1.8.7-p330 :008 > User.count
 => 1 
ruby-1.8.7-p330 :009 > User.connection.execute User.order(["?", "name; delete from users;--"]).to_sql
 => [{"name"=>"Capt. Awesome", 0=>2, "created_at"=>"2011-02-11 16:57:35.131638", 1=>"Capt. Awesome", "updated_at"=>"2011-02-11 16:57:35.131638", 2=>"2011-02-11 16:57:35.131638", "id"=>2, 3=>"2011-02-11 16:57:35.131638"}] 
ruby-1.8.7-p330 :010 > User.count
 => 1 
ruby-1.8.7-p330 :011 > ^Dbmaddy@foo:~/src/sandbox/console$ rails db
SQLite version 3.6.12
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> SELECT * FROM users;
2|Capt. Awesome|2011-02-11 16:57:35.131638|2011-02-11 16:57:35.131638
sqlite> SELECT "users".* FROM "users" ORDER BY name; delete from users;--
2|Capt. Awesome|2011-02-11 16:57:35.131638|2011-02-11 16:57:35.131638
sqlite> SELECT * FROM users;
sqlite> SELECT count(*) FROM users;
0
sqlite>