Invoke-SQLCmd considered harmful

I mentioned here that Invoke-SQLCmd (included in the SQLPS module for SQL Server) was susceptible to SQL-Injection attacks, but I haven’t demonstrated that or ever seen anyone show it. To do so, I’ll start with code out of the help for Invoke-SQLCmd.  Here’s the code (taken from here) Notice that the parameters are encoded in a …

Continue reading ‘Invoke-SQLCmd considered harmful’ »

POSH_Ado : Inside POSH_Ado_SQLServer

In a previous post I introduced the POSH_Ado “project” and explained that it is a way to use the same code-base to access several different database platforms. I illustrated it with some sample calls to a SQL Server database using the POSH_Ado_SQLServer module and promised to show the internals of the module later. The time …

Continue reading ‘POSH_Ado : Inside POSH_Ado_SQLServer’ »

Getting Started with POSH_Ado

This is kind of long-winded, if you want, skip down to the code and it should be clear (I hope). Where the story starts As I mentioned here, the original adolib module got copied a few times and with cut-and-paste programming got turned into modules for other database platforms. While it was cool that it …

Continue reading ‘Getting Started with POSH_Ado’ »

Checking a Field for NULL in PowerShell

It’s been a long time (over 2 months) since I last posted.  I’ll try to get back into a rhythm of posting at least weekly.  Anyway, this is something that occurred to me at work when writing a script. I usually avoid nullable columns, but sometimes date fields make sense to be null (rather than …

Continue reading ‘Checking a Field for NULL in PowerShell’ »

SQL PowerShell Extensions (SQLPSX) 2.0 Released

The first module-based release of the SQL PowerShell Extensions (SQLPSX) was released recently on CodePlex.  It features very handy wrappers for most of the SMO objects used to manipulate SQL Server metadata, SSIS packages, Replication, and (new in the 2.0 release) an ADO.NET module which I wrote based on the code in this post.  There’s …

Continue reading ‘SQL PowerShell Extensions (SQLPSX) 2.0 Released’ »

Get-EventLog and Get-WMIObject

Recently, we had an occasion to write a process to read event logs on several sql servers to try to determine login times for different sql and Windows logins.  Since we have begun using PowerShell v2.0, and since get-eventlog now has a -computername parameter, it seemed like an obvious solution. The event message we were …

Continue reading ‘Get-EventLog and Get-WMIObject’ »

Executing SQL the Right Way in PowerShell

We all know that using string concatenation (or substitution) in SQL is a “bad thing”.  If you google “SQL Injection”, you’ll find hundreds of pages that tell you not to do things this way and that you need to use parameterized queries.  However, I still see a lot of code in PowerShell that does this: …

Continue reading ‘Executing SQL the Right Way in PowerShell’ »