Rails 5 SQL Injection

Using quote is safe. I read the answers on the page you linked to, and I don't see anyone saying that quote is insecure. I see your question about using "quotes". Yes, if you just put quotes around a string, that is insecure, e.g.:

q = "SELECT * FROM users where email = '#{params[:email]}'"

But using quote (the method) is fine:

q = "SELECT * FROM users where email = #{connection.quote(params[:email])}"

You could play around in the console and try your best to break it, but I don't think you'll be able to:

2.3.3 :003 > ActiveRecord::Base.connection.quote("f''oo")                                                                               => "'f''''oo'"

If you succeed, I'm sure the Rails team would like to know (privately)! But as you can see, the quote method does more than stick a quote at the beginning and end.

Also, since you say you are looking for an authoritative citation, the comments in the source code itself suggest that quoting user inputs is the intended purpose of these functions:

https://github.com/rails/rails/blob/2471e6391dfe71cfbb8621bdf573729d961d3209/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb#L6-L13

# Quotes the column value to help prevent# {SQL injection attacks}[http://en.wikipedia.org/wiki/SQL_injection].def quote(value)

https://github.com/rails/rails/blob/0f1d0b1b5254e3678abaabbebb3362a100c10262/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb#L17-L20

# Quotes strings for use in SQL input.def quote_string(s) #:nodoc:

(Note I am showing quote_string for the comment, but you should probably use quote, which tries to figure out the data type and do something appropriate.)

By the way, here is a similar question to yours, with an answer from me in 2014, and some alternatives too: How to execute a raw update sql with dynamic binding in rails