123456789_123456789_123456789_123456789_123456789_

Exception: ActiveRecord::UnknownAttributeReference

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, ActiveRecordError, StandardError
Instance Chain:
self, ActiveRecordError, StandardError
Inherits: ActiveRecord::ActiveRecordError
Defined in: activerecord/lib/active_record/errors.rb

Overview

UnknownAttributeReference is raised when an unknown and potentially unsafe value is passed to a query method when allow_unsafe_raw_sql is set to :disabled. For example, passing a non column name value to a relation’s #order method might cause this exception.

When working around this exception, caution should be taken to avoid SQL injection vulnerabilities when passing user-provided values to query methods. Known-safe values can be passed to query methods by wrapping them in Arel.sql.

For example, with allow_unsafe_raw_sql set to :disabled, the following code would raise this exception:

Post.order("length(title)").first

The desired result can be accomplished by wrapping the known-safe string in Arel.sql:

Post.order(Arel.sql("length(title)")).first

Again, such a workaround should not be used when passing user-provided values, such as request parameters or model attributes to query methods.