Hi Sam -
h() is there to protect you from cross-site scripting attacks.
SQL injection attacks are a different beast. Luckily, ActiveRecord will take care of those for you, as long as you use it correctly. This boils down to never manually inserting user-entered content into an sql query.
For more detail: Peak Obsession
Cheers, Starr