h() is just "html string".gsub('&', '&').gsub('<', '<').gsub('>', '>').gsub('"', '"')
Although I would actually stick to using <%=h instead of putting sanitised data in the database.. What if you change your mind about sanitising, or want to display data differently based on the type of user (html for admin, h-ed for everyone else)?