tl;dr
Due to rails parameter parsing oddities the sql injection vulnerability can be exploited even in a basic ActiveRecord app. The same technique yields an effective DOS.
Put 'ActionDispatch::ParamsParser::DEFAULT_PARSERS={}' in application.rb or otherwise mitigate ASAP
Reading:
https://news.ycombinator.com/item?id=5002898
https://homakov.blogspot.com/2013/01/rails-security-digest-eli5.html
https://twitter.com/homakov
https://twitter.com/charliesome