RFC: Remove support for "% style"(printf style) prepared statement from ActiveRecord

[spike...@gmail.com]

Now `ActiveRecord::Base.sanitize_sql_array` supports two formats (example codes are quoted from test/cases/sanitize_test.rb)

1. "% style"(printf style)

```

assert_equal "name='#{quoted_bambi}'", Binary.send(:sanitize_sql_array, ["name='%s'", "Bambi"])

```

2. "?" as placeholder

```

assert_equal "name=#{quoted_bambi}", Binary.send(:sanitize_sql_array, ["name=?", "Bambi"])

```

I want to deprecate and remove "% style", there are three reasons why I will do it

1. I think in normal use case, almost "%" placeholder can be replace to "?". If there are any use case where we can not replace them, please teach me:)

2. Usage of both are different, and sometime this difference creates insecure query

When we use "?", we should not quote "?". But when we use "%", we should quote "%s" by ourselves. This is confusing and dangerous.

There were unquoted "%s" in Rails test codes https://github.com/rails/rails/pull/21758/files .

3. In Rails guide, only "?" is explaind http://guides.rubyonrails.org/active_record_querying.html#array-conditions.

Regards

yui-knk

[Sean Griffin]

I do not think we would consider this proposal without a stronger reason as to why it is causing harm. It would be an unnecessary breaking change to existing apps.