I try to write simple gui with login to database. I have a problem with its protection against sql injection.
How can I use parameters in query to login and password.
This is part of my script:
function Get-ODBC-Data{
param([string]$query=$(throw ‘query is required.’))
$conn = New-Object System.Data.Odbc.OdbcConnection
$conn.ConnectionString = “Driver={PostgreSQL Unicode(x64)};Server=1.2.3.4;Port=1234;Database=dbname;Uid=user;Pwd=pass;”
$conn.open()
$cmd = New-object System.Data.Odbc.OdbcCommand($query,$conn)
$ds = New-Object system.Data.DataSet
(New-Object system.Data.odbc.odbcDataAdapter($cmd)).fill($ds) | out-null
$conn.close()
$ds.Tables[0]
}
$login = Show-InputForm “aaaa” “Username” “Password*”
$user = $login[0]
$password = $login[1]
$query = “SELECT * FROM aaa WHERE user=‘$login’ and password=‘$password’”