Thanks for all the helpful advice which led me down my final path. I ended up changing my string to an array of values to take advantage of Rails built-in method, sanitize_sql_array after reading another post.
placeholders = []
insert_values = []
csvrow.each do |row|
placeholders << (?,?,?)
insert_values << params[:quantity] << #{params[:name]} << {Time.now.to_s(:db)
end
query_string = "INSERT INTO `my_table` (`quantity`, `name`, `created_at`) VALUES #{placeholders.join(", ")}"] + insert_values
sql = ActiveRecord::Base.send(:sanitize_sql_array, query_string)
ActiveRecord::Base.connection.execute(sql)