Type safe parameters in Get-SQLData

Jul 26, 2011 at 9:09 AM

I am currently looking for ways to interact with SQL Server from Powershell. I came across your module which seem great but I'm concerned about SQL injections. Is there a function which returns results from a sql query but accepts type safe parameters. Get-SQLData doesn't accept type safe parameters. Code below is not very safe because someone can do a SQL injection with the string parameter.

Get-SqlData $srv "testdb" "select * from customers where CustomerName=$CustomerName"

Coordinator
Jul 26, 2011 at 12:20 PM

Hmm, SQL Injection? I think you're missing the point of the SQLServer module. It is a module for administrators to manage SQL Server. In this way Get-SqlData is exactly like sqlcmd, osql, SSMS or SQLPlus. These tools allow an administrator/developers to run open ended queries against a database and are not meant to be embedded in a user facing application where there could be concerns of SQL Injection.

If you're interested in a Powershell framework with constrained types and defined ADO.NET parameters see the adolib module.