Exception: ActiveRecord::UnknownAttributeReference

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain: self, `ActiveRecordError`, StandardError
Instance Chain: self, `ActiveRecordError`, StandardError
Inherits:	ActiveRecord::ActiveRecordError `::Object` StandardError ActiveRecord::ActiveRecordError ActiveRecord::UnknownAttributeReference
Defined in:	activerecord/lib/active_record/errors.rb

Overview

UnknownAttributeReference is raised when an unknown and potentially unsafe value is passed to a query method. For example, passing a non column name value to a relation’s #order method might cause this exception.

When working around this exception, caution should be taken to avoid SQL injection vulnerabilities when passing user-provided values to query methods. Known-safe values can be passed to query methods by wrapping them in Arel.sql.

For example, the following code would raise this exception:

Post.order("REPLACE(title, 'misc', 'zzzz') asc").pluck(:id)

The desired result can be accomplished by wrapping the known-safe string in Arel.sql:

Post.order(Arel.sql("REPLACE(title, 'misc', 'zzzz') asc")).pluck(:id)

Again, such a workaround should not be used when passing user-provided values, such as request parameters or model attributes to query methods.