class UnknownAttributeReference
Ruby on Rails 6.1.7.10
Since v5.2.8.1UnknownAttributeReference is raised when an unknown and potentially unsafe value is passed to a query method. For example, passing a non column name value to a relation’s #order method might cause this exception.
When working around this exception, caution should be taken to avoid SQL injection vulnerabilities when passing user-provided values to query methods. Known-safe values can be passed to query methods by wrapping them in Arel.sql.
For example, the following code would raise this exception:
Post.order("length(title)").first
The desired result can be accomplished by wrapping the known-safe string in Arel.sql:
Post.order(Arel.sql("length(title)")).first
Again, such a workaround should not be used when passing user-provided values, such as request parameters or model attributes to query methods.