how to protect against sql injection in powershell script

michal_moro · November 27, 2019, 7:46am

I try to write simple gui with login to database. I have a problem with its protection against sql injection.

How can I use parameters in query to login and password.

This is part of my script:

function Get-ODBC-Data{

param([string]$query=$(throw ‘query is required.’))

$conn = New-Object System.Data.Odbc.OdbcConnection

$conn.ConnectionString = “Driver={PostgreSQL Unicode(x64)};Server=1.2.3.4;Port=1234;Database=dbname;Uid=user;Pwd=pass;”

$conn.open()

$cmd = New-object System.Data.Odbc.OdbcCommand($query,$conn)

$ds = New-Object system.Data.DataSet

(New-Object system.Data.odbc.odbcDataAdapter($cmd)).fill($ds) | out-null

$conn.close()

$ds.Tables[0]

}

$login = Show-InputForm “aaaa” “Username” “Password*”

$user = $login[0]

$password = $login[1]

$query = “SELECT * FROM aaa WHERE user=‘$login’ and password=‘$password’”

$result = Get-ODBC-Data -query $query

Topic		Replies	Views
SQL Injection prevent PowerShell Help	2	130	November 19, 2019
Using a PoweShell parameter value in a SQL query PowerShell Help	4	137	September 27, 2017
Inserting string into command PowerShell Help	2	148	August 2, 2017
Help with database query script PowerShell Help	9	236	February 16, 2022
Pass parameter from powershell to stored procedure PowerShell Help	0	174	December 31, 2011