RSpec
Ruby on Rails
Ruby
- 1.0.0
- 1.1.6
- 1.2.6
- 2.0.3
- 2.1.0
- 2.2.1
- 2.3.8
- 3.0.0
- 3.0.9
- 3.1.0
- 3.2.1
- 3.2.8
- 3.2.13
- 4.0.2
- 4.1.8
- 4.2.1
- 4.2.7
- 4.2.9
- 5.0.0.1
- 5.1.7
- 5.2.3 (0)
- 6.0.0 (0)
- 6.1.3.1 (-4)
- 6.1.7.7 (0)
- 7.0.0
- 7.1.3.2 (2)
- 7.1.3.4 (0)
- What's this?
UnknownAttributeReference is raised when an unknown and potentially unsafe value is passed to a query method when allow_unsafe_raw_sql is set to :disabled. For example, passing a non column name value to a relation’s #order method might cause this exception.
When working around this exception, caution should be taken to avoid SQL injection vulnerabilities when passing user-provided values to query methods. Known-safe values can be passed to query methods by wrapping them in Arel.sql.
For example, with allow_unsafe_raw_sql set to :disabled, the following code would raise this exception:
Post.order("length(title)").first
The desired result can be accomplished by wrapping the known-safe string in Arel.sql:
Post.order(Arel.sql("length(title)")).first
Again, such a workaround should not be used when passing user-provided values, such as request parameters or model attributes to query methods.
