diff --git a/app/services/badge_granter.rb b/app/services/badge_granter.rb
index 19aede8e6..252e4501f 100644
--- a/app/services/badge_granter.rb
+++ b/app/services/badge_granter.rb
@@ -134,8 +134,10 @@ class BadgeGranter
 
   def self.preview(sql, opts = {})
     params = {user_ids: [], post_ids: [], backfill: true}
-    count_sql = "SELECT COUNT(*) count FROM (#{sql}) q"
-    grant_count = SqlBuilder.map_exec(OpenStruct, count_sql, params).first.count
+
+    # hack to allow for params, otherwise sanitizer will trigger sprintf
+    count_sql = "SELECT COUNT(*) count FROM (#{sql}) q WHERE :backfill = :backfill"
+    grant_count = SqlBuilder.map_exec(OpenStruct, count_sql, params).first.count.to_i
 
     grants_sql =
      if opts[:target_posts]
@@ -144,11 +146,13 @@ class BadgeGranter
     JOIN users u on u.id = q.user_id
     LEFT JOIN badge_posts p on p.id = q.post_id
     LEFT JOIN topics t on t.id = p.topic_id
+    WHERE :backfill = :backfill
     LIMIT 10"
      else
       "SELECT u.id, u.username, q.granted_at
     FROM(#{sql}) q
     JOIN users u on u.id = q.user_id
+    WHERE :backfill = :backfill
     LIMIT 10"
      end
 
diff --git a/spec/services/badge_granter_spec.rb b/spec/services/badge_granter_spec.rb
index c2d4cb5ca..f721fb036 100644
--- a/spec/services/badge_granter_spec.rb
+++ b/spec/services/badge_granter_spec.rb
@@ -5,6 +5,14 @@ describe BadgeGranter do
   let(:badge) { Fabricate(:badge) }
   let(:user) { Fabricate(:user) }
 
+  describe 'preview' do
+    it 'can correctly preview' do
+      Fabricate(:user, email: 'sam@gmail.com')
+      result = BadgeGranter.preview('select id user_id, null post_id, created_at granted_at from users where email like \'%gmail.com\'')
+      result[:grant_count].should == 1
+    end
+  end
+
   describe 'backfill' do
 
     it 'has no broken badge queries' do