Accepts an array or string. The string is returned untouched, but the array has each value sanitized and interpolated into the sql statement.
["name='%s' and group_id='%s'", "foo'bar", 4] returns "name='foo''bar' and group_id='4'"
[Validate]