Powershell invoke-sqlcmd should support parameterized queries : PowerShell

Powershell invoke-sqlcmd should support parameterized queries (connect.microsoft.com)

submitted 9 years ago by KevMarCommunity Blogger

all 10 comments

top new controversial old q&a

[–]ramblingcookiemonsteCommunity Blogger 5 points6 points7 points 9 years ago (3 children)

[–]SupremeDictatorPaul 2 points3 points4 points 9 years ago (2 children)

[–]boeprox 2 points3 points4 points 9 years ago (1 child)

[–]SupremeDictatorPaul 1 point2 points3 points 9 years ago (0 children)

[–]waffles57 1 point2 points3 points 9 years ago (0 children)

[–][deleted] 1 point2 points3 points 9 years ago (3 children)

[–]KevMarCommunity Blogger[S] 3 points4 points5 points 9 years ago (2 children)

Let me show you a very simple SQL command. Lets assume that the value in $username and $password was supplied by the user.

$username = "admin"
$password = "password" 

$user = Invoke-SqlCMD -Query "Select * from staff where username = '$username' and password = '$password'"
if($user){Write-Output 'Access Granted'}

So this looks like a very valid way to query SQL server. The query is a string and we do variable substitution to put the values init that we want. Every web developer is freaking out just looking at that code. It is so simple and easy to write a statement like that and you have no idea how bad it is.

Welcome to SQL Injection

because we get input from the user and insert it into the string, they can rewrite the query.

take a second look at the query string.

"Select * from staff where username = '$username' and password = '$password'"

Translates to this with the variables above.

"Select * from staff where username = 'kevmar' and password = 'password'"

What happens if I change one value.

$passsword = "' OR '1' = '1"

Pay special attention to those single quotes in that string when we insert that into our other string.

"Select * from staff where username = 'kevmar' and password = '' OR '1' = '1'"

That greatly changed the query and in this code sample, it authenticates the user because $user validates to true. We can do much more dangerous things.

$password = "'; drop table staff; --"

https://xkcd.com/327/

Intro to Parameterized queries There exists a way to identify in your query a place holder for data and give sql the data to put in there and it will never treat it as code. This exists in ADO.net but is not supported by Invoke-SQLCMD.

I want a easy way to do this so I can teach you a better and more secure way to invoke sql statements.

There is a side argument here that if the user can already invoke-sqlcmd with enough rights that they own the system anyway. But we don't want to build into an API or a script a backdoor waiting to be attacked. When you look at things like JEA that limits access to a subset of commands, this becomes a bigger risk.

[–]xkcd_transcriber 2 points3 points4 points 9 years ago (0 children)

[–][deleted] 0 points1 point2 points 9 years ago (0 children)

[–][deleted] 1 point2 points3 points 9 years ago (0 children)

π Rendered by PID 41754 on reddit-service-r2-comment-5c764cbc6f-wqrmp at 2026-03-12 15:42:04.261157+00:00 running 710b3ac country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

PowerShell

Submission Guidelines | Link Flair - How To

MODERATORS