Skip to content

Commit 1aec7fc

Browse files
MathiasVPMathiasVP
committed
PS: Fix example.
1 parent 657686b commit 1aec7fc

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

powershell/ql/src/queries/security/cwe-089/examples/SqlInjection.ps1

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ param(
44

55
# BAD: The user input is directly interpolated into the SQL query string
66
$query1 = "SELECT * FROM users WHERE name = '$userinput'"
7-
Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query
7+
Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query1
88

99
# GOOD: Using parameters to prevent SQL injection
1010
$query2 = "SELECT * FROM users WHERE name = @username"
@@ -13,4 +13,4 @@ $params = @{
1313
username = $userinput
1414
}
1515

16-
Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query -QueryParameters $params
16+
Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query2 -QueryParameters $params

0 commit comments

Comments
 (0)