Is ActiveRecord's “order” method vulnerable to SQL injection?

Question

I know it\'s not safe to use interpolated strings when calling .where.

e.g. this:

Client.where(\"orders_count = #{params[:orders]}\")

Answer 1

Client.order("#{some_value_1}, #{some_value_2}")

should be written as

order = sanitize_sql_array(['%s, %s', some_value_1, some_value_2])
Client.order(order)