I have problem with my powershell script because I can’t prevent from sqli.
I don’t know how use parameters or what can I do.
I have function to connect to DB
`function Get-ODBC-Data{
param([string]$query=$(throw 'query is required.'))
$conn = New-Object System.Data.Odbc.OdbcConnection
$conn.ConnectionString = "Driver={PostgreSQL Unicode(x64)};Server=111.111.111.111;Port=1111;Database=user;Uid=test;Pwd=test;"
$conn.open()
$cmd = New-object System.Data.Odbc.OdbcCommand($query,$conn)
$ds = New-Object system.Data.DataSet
(New-Object system.Data.odbc.odbcDataAdapter($cmd)).fill($ds) | out-null
$conn.close()
$ds.Tables[0]
}`
and later i try run command where user can write 2 variables in GUI
f.e.
var1
var2
and my script run query:
`select * from aaa where b='$var1' and c='$var2'
$result = Get-ODBC-Data -query $query`
but when i write in aaa field something like
`' or 1 = '1'; here is update command '--'`
this update is unfortunatelly running.