SQL Injection prevent

Welcome Forums General PowerShell Q&A SQL Injection prevent

Viewing 2 reply threads
  • Author
    • #189043
      Topics: 3
      Replies: 2
      Points: 41
      Rank: Member

      I have problem with my powershell script because I can’t prevent from sqli.

      I don’t know how use parameters or what can I do.

      I have function to connect to DB

      `function Get-ODBC-Data{
      param([string]$query=$(throw ‘query is required.’))
      $conn = New-Object System.Data.Odbc.OdbcConnection
      $conn.ConnectionString = “Driver={PostgreSQL Unicode(x64)};Server=;Port=1111;Database=user;Uid=test;Pwd=test;”
      $cmd = New-object System.Data.Odbc.OdbcCommand($query,$conn)
      $ds = New-Object system.Data.DataSet
      (New-Object system.Data.odbc.odbcDataAdapter($cmd)).fill($ds) | out-null
      and later i try run command where user can write 2 variables in GUI
      and my script run query:

      `select * from aaa where b=’$var1′ and c=’$var2′
      $result = Get-ODBC-Data -query $query`

      but when i write in aaa field something like
      `’ or 1 = ‘1’; here is update command ‘–‘`
      this update is unfortunatelly running.
    • #189094
      Topics: 3
      Replies: 223
      Points: 1,221
      Helping Hand
      Rank: Community Hero

      Hi michal_moro12

      Can you please elaborate on the issue? And are you seeing any error there?

      Thank you.

    • #189118
      Topics: 3
      Replies: 2
      Points: 41
      Rank: Member

      I can put something like this

      ' or 1  ='1'; update HereIsUpdateQuery '--

      into var1 and this update is making od DB.

      I found it but it doesn’t work

      $cmd = New-Object System.Data.Odbc.OdbcCommand("UPDATE Products SET Id='1' WHERE Id = @myId", $conn)
      $cmd.Parameters.Add(new System.Data.Odbc.OdbcParameter("myId","001d000000YBRseAAH")

      of course I set my select instead of update from this example and change “myId” with @aaa

Viewing 2 reply threads
  • The topic ‘SQL Injection prevent’ is closed to new replies.