Active Record vulnerable to SQL Injection via nested query parameters