Exception: ActiveRecord::UnknownAttributeReference
Relationships & Source Files | |
Super Chains via Extension / Inclusion / Inheritance | |
Class Chain:
self,
ActiveRecordError ,
StandardError
|
|
Instance Chain:
self,
ActiveRecordError ,
StandardError
|
|
Inherits: |
ActiveRecord::ActiveRecordError
|
Defined in: | activerecord/lib/active_record/errors.rb |
Overview
UnknownAttributeReference
is raised when an unknown and potentially unsafe value is passed to a query method when allow_unsafe_raw_sql is set to :disabled
. For example, passing a non column name value to a relation’s #order
method might cause this exception.
When working around this exception, caution should be taken to avoid SQL injection vulnerabilities when passing user-provided values to query methods. Known-safe values can be passed to query methods by wrapping them in Arel.sql
.
For example, with allow_unsafe_raw_sql set to :disabled
, the following code would raise this exception:
Post.order("length(title)").first
The desired result can be accomplished by wrapping the known-safe string in Arel.sql
:
Post.order(Arel.sql("length(title)")).first
Again, such a workaround should not be used when passing user-provided values, such as request parameters or model attributes to query methods.