SQL Injection prevent

I have problem with my powershell script because I can’t prevent from sqli.

I don’t know how use parameters or what can I do.

I have function to connect to DB

`function Get-ODBC-Data{ param([string]$query=$(throw 'query is required.')) $conn = New-Object System.Data.Odbc.OdbcConnection $conn.ConnectionString = "Driver={PostgreSQL Unicode(x64)};Server=111.111.111.111;Port=1111;Database=user;Uid=test;Pwd=test;" $conn.open() $cmd = New-object System.Data.Odbc.OdbcCommand($query,$conn) $ds = New-Object system.Data.DataSet (New-Object system.Data.odbc.odbcDataAdapter($cmd)).fill($ds) | out-null $conn.close() $ds.Tables[0] }`
and later i try run command where user can write 2 variables in GUI
f.e.
var1
var2
and my script run query:
`select * from aaa where b='$var1' and c='$var2' $result = Get-ODBC-Data -query $query`
but when i write in aaa field something like
`' or 1 = '1'; here is update command '--'`
this update is unfortunatelly running.

Hi michal_moro12

Can you please elaborate on the issue? And are you seeing any error there?

Thank you.

I can put something like this

’ or 1 =‘1’; update HereIsUpdateQuery '–

into var1 and this update is making od DB.

I found it but it doesn’t work

$cmd = New-Object System.Data.Odbc.OdbcCommand("UPDATE Products SET Id='1' WHERE Id = @myId", $conn)
$cmd.Parameters.Add(new System.Data.Odbc.OdbcParameter("myId","001d000000YBRseAAH")
$cmd.ExecuteNonQuery()
of course I set my select instead of update from this example and change "myId" with @aaa