Perhaps Github isn't on Rails 4.2, but they've already created a method for sanitizing SQL like statements in ActiveRecord::Sanitization[1], so they shouldn't need a custom function to remove SQL injection. Also, you could always just use ActiveRecord::Base.connection.quote which will safely quote the string you want to input.
The LIKE query '%64%68%6f%6d%65%73@%67%6d%61%69%6c.%63%6f%6d%' wasn't an injection attempt, it's just a URL-encoded email address. Most likely it was accidentally double-encoded in the search URL for some reason, so it ended up still encoded in the SQL query.
[1] http://apidock.com/rails/ActiveRecord/Sanitization/ClassMeth...