SQL Injection prevent

Welcome Forums General PowerShell Q&A SQL Injection prevent

Viewing 2 reply threads
  • Author
    Posts
    • #189043
      Participant
      Topics: 3
      Replies: 2
      Points: 41
      Rank: Member

      I have problem with my powershell script because I can't prevent from sqli.

      I don't know how use parameters or what can I do.

      I have function to connect to DB

      `function Get-ODBC-Data{
      param([string]$query=$(throw 'query is required.'))
      $conn = New-Object System.Data.Odbc.OdbcConnection
      $conn.ConnectionString = "Driver={PostgreSQL Unicode(x64)};Server=111.111.111.111;Port=1111;Database=user;Uid=test;Pwd=test;"
      $conn.open()
      $cmd = New-object System.Data.Odbc.OdbcCommand($query,$conn)
      $ds = New-Object system.Data.DataSet
      (New-Object system.Data.odbc.odbcDataAdapter($cmd)).fill($ds) | out-null
      $conn.close()
      $ds.Tables[0]
      }`
      and later i try run command where user can write 2 variables in GUI
      f.e.
      var1
      var2
      and my script run query:

      `select * from aaa where b='$var1' and c='$var2'
      $result = Get-ODBC-Data -query $query`

      but when i write in aaa field something like
      `' or 1 = '1'; here is update command '–'`
      this update is unfortunatelly running.
    • #189094
      Participant
      Topics: 3
      Replies: 136
      Points: 719
      Helping Hand
      Rank: Major Contributor

      Hi michal_moro12

      Can you please elaborate on the issue? And are you seeing any error there?

      Thank you.

    • #189118
      Participant
      Topics: 3
      Replies: 2
      Points: 41
      Rank: Member

      I can put something like this

      ' or 1  ='1'; update HereIsUpdateQuery '--

      into var1 and this update is making od DB.

      I found it but it doesn't work

      $cmd = New-Object System.Data.Odbc.OdbcCommand("UPDATE Products SET Id='1' WHERE Id = @myId", $conn)
      $cmd.Parameters.Add(new System.Data.Odbc.OdbcParameter("myId","001d000000YBRseAAH")
      $cmd.ExecuteNonQuery()

      of course I set my select instead of update from this example and change "myId" with @aaa

Viewing 2 reply threads
  • You must be logged in to reply to this topic.