in rails, basically attempt to have an object using where:

Customer.where(:name => "abc")

the log file implies that no database bindings are utilized.

WHERE "apps"."name" = 'abc'

If i produce a new object

Customer.create(:name => "abc", :field => 1)

rails uses parameters

INSERT INTO "customers" ("name", "field") VALUES (?, ?) 

how do i get rails to make use of database parameter bindings in while well?

The next statement also creates exactly the same where

Customer.where("title = ?", "abc")

In Rails 3.1, prepared claims are utilized, so you will notice queries like:

SELECT * FROM customers WHERE customers.name = ? [["name", "abc"]]

So far as I understand, this works best for Postgres and never MySql.

You need not be worried about SQL injection, regardless. Please discover the protections against SQL injection which are built-directly into Rails: http://guides.rubyonrails.org/security.html#sql-injection