Exception: ActiveRecord::UnknownAttributeReference
Relationships & Source Files | |
Super Chains via Extension / Inclusion / Inheritance | |
Class Chain:
self,
ActiveRecordError ,
StandardError
|
|
Instance Chain:
self,
ActiveRecordError ,
StandardError
|
|
Inherits: |
ActiveRecord::ActiveRecordError
|
Defined in: | activerecord/lib/active_record/errors.rb |
Overview
UnknownAttributeReference
is raised when an unknown and potentially unsafe value is passed to a query method. For example, passing a non column name value to a relation’s #order
method might cause this exception.
When working around this exception, caution should be taken to avoid SQL injection vulnerabilities when passing user-provided values to query methods. Known-safe values can be passed to query methods by wrapping them in Arel.sql.
For example, the following code would raise this exception:
Post.order("REPLACE(title, 'misc', 'zzzz') asc").pluck(:id)
The desired result can be accomplished by wrapping the known-safe string in Arel.sql:
Post.order(Arel.sql("REPLACE(title, 'misc', 'zzzz') asc")).pluck(:id)
Again, such a workaround should not be used when passing user-provided values, such as request parameters or model attributes to query methods.