I believe so. When you call `raw_sql`, the API doesn't provide a way for you to specify which parts of the query are parameters, so it just passes that exact string in to exec.