nice find. there is sql injection in 2.3.x and it effects all adapters and not just postgresql.
i just tried quoted_id and it works against mysql on 3.2.x as well. quoted_id is defined in abstract/quoting.rb and any adapter that forwards quotes to the superclass will use it.
<3<3<3<3