Securing PowerShell: How to Stop Prompt Injection Attacks, Part 1Securing PowerShell: How to Stop Prompt Injection Attacks, Part 1Securing PowerShell: How to Stop Prompt Injection Attacks, Part 1

[Editor's Note: This is Part 1 of our comprehensive five-part series examining strategies to prevent prompt injection attacks. For readers interested in the complete context, we recommend reviewing Parts 2 , 3 , 4, and 5 .]

One of the things that I have always liked about PowerShell is that because it is integrated so deeply into the Windows operating system , it is relatively easy to use PowerShell to build your own custom tools. In my own environment, for example, I have created a number of custom tools to streamline the management of my environment.

Even though PowerShell does indeed make it comparatively easy to build custom tools, it's important not to forget about security while building such a tool. After all, professional developers go to great lengths to make sure that they are writing secure code. Although PowerShell tends to be used by admins, who might not have a formal development background, it is still important to adhere to secure coding techniques. Remember, PowerShell-based tools are often run with elevated permissions, and you don't want a custom tool to be exploited.

One of the most basic vulnerabilities that you need to protect against is a prompt injection attack . Prompt injection attacks can take on a variety of forms, but they tend to be especially damaging when a PowerShell script is linked to a SQL Server database .

Related:Managing Windows Firewall Rules with PowerShell, Part 1: Beyond the GUI

I want to take the opportunity to show you what a prompt injection attack looks like, how it works, and most importantly, what you can do to prevent such an attack. In doing so, I am not going to hold anything back. I am going to be showing you some malicious commands and will be using those commands to attack a SQL Server database through a relatively simple PowerShell script.

Creating a Demo Database

With that said, the very first thing that we need to do is to create the database, a couple of tables, and some sample data. For the sake of demonstration, I am going to create a database called Demo. This database will contain two tables. The Users table will store some basic user information, including a username, password, and email address. A second table called Admins will store admin usernames and passwords.

Here is the code used to build the Demo database. You can execute this code within the SQL Server Management Studio.

CREATE DATABASE Demo;
GO
USE Demo;
CREATE TABLE Users (
  ID INT IDENTITY(1,1) PRIMARY KEY,
  Username VARCHAR(50),
  Password VARCHAR(50),
  Email VARCHAR(100)
);
INSERT INTO Users (Username, Password, Email)
VALUES
  ('alice', 'Pa$$word1', '[email protected]'),
  ('bob', 'Secure123', '[email protected]'),
  ('charlie', 'MyDog2024', '[email protected]'),
  ('david', 'Sunshine42', '[email protected]'),
  ('emily', 'OceanBreeze1', '[email protected]'),
  ('michael', 'BlueSky77', '[email protected]'),
  ('jessica', 'HappyFeet99', '[email protected]'),
  ('william', 'CoffeeTime22', '[email protected]'),
  ('samantha', 'Rainbow88', '[email protected]')
  ('daniel', 'MountainPeak33', '[email protected]'),
  ('ashley', 'GreenGrass9', '[email protected]'),
  ('james', 'Pineapple4Me', '[email protected]'),
  ('lauren', 'RedFox123', '[email protected]'),
  ('ryan', 'PurpleRain5', '[email protected]'),
  ('megan', 'StarDust55', '[email protected]');
CREATE TABLE Admins (
  AdminID INT IDENTITY(1,1) PRIMARY KEY,
  Username VARCHAR(50),
  Password VARCHAR(50)
);
INSERT INTO Admins (Username, Password)
VALUES
  ('admin', 'SuperSecure!'),
  ('root', 'RootAccess2025');

You can see what the database creation and population process looks like in Figure 1.

example of a sample database

Figure 1. This is how you create the sample database.

Creating a PowerShell Script to Query the Database

Now that we have created a demo database, the next thing we have to do is create a PowerShell script that we can use to query the database. The script that I am going to be using is a slight variation of code that I have used many times to create various utilities in my own environment (before I began to focus on secure coding). Here is what the script looks like:

Related:Managing Windows Firewall Rules with PowerShell, Part 2: Overcoming Cmdlet Limitations

# SQL Server Connection String
$ConnectionString="Invoke-SQLCmd -ServerInstance BrienMain\SQLExpress -Database Demo -Query "
##############################################################
## This is the function used to perform SQL Server queries. ##
##############################################################
Function Perform-Query {
Param (
 [String]$QueryStatement
 )
$QueryString = $ConnectionString + '"' + $QueryStatement + '"'
Write-Host $QueryString
$Query = Invoke-Expression $QueryString
Return $Query
}
********** Main Body ****************
CLS
$UserInput = Read-Host "Enter a username"
$QueryStatement = "Select Email From Users WHERE Username= '" + $UserInput + "'"
$Query = Perform-Query $QueryStatement
$Result = $Query
Write-Host "The user's email address is: " $Result.Email

This script begins by defining a connection string that will be used for connecting to the SQL Server database. In this particular case, the connection string is specific to my own environment. If you want to try this out for yourself, you will want to change the ServerInstance so that it points to your own server name and SQL Server instance name. The connection string is also designed to connect to the Demo database that we created a moment ago.

The next thing that appears within the script is a function designed to process SQL Server queries. This function works by passing a SQL Server query to the function in the form of a text string. The function then combines the connection string with the query statement and uses PowerShell's Invoke-Expression cmdlet to execute the query.

The main body of the script is super simple. It prompts the user to enter a username. It then creates a query statement that is designed to look up the user's email address based on the username that was entered. This query statement is passed to the Perform-Query function, and the query result is returned. A Write-Host command displays the query results.

Related:Managing Windows Firewall Rules with PowerShell, Part 3: Creating a Baseline

Although this script is pretty straightforward, there are two things that you need to know about it. First, in the interest of keeping things as simple as I could, I didn't create any error handling. If, for example, you enter an invalid username, the script will return an incomplete result (the user's email address is <blank>).

The other thing that you need to know about the script is that I included a write-host statement inside of the function that displays the full query. Having the query statement displayed on screen probably seems odd and out of place. However, it will be beneficial to be able to see the query when we start performing prompt injection attacks. You can see what the script's output looks like in Figure 2.

screen shot of running a PowerShell script

Figure 2. This is what it looks like when you run the script.

Now that I have provided you with a script and a database, I will turn my attention to prompt injection attacks. In Part 2, I explain what a prompt injection attack is and show you a simple example of such an attack. In Parts 3 and 4, I will show you several different attack techniques that are more in line with those used in the real world. Finally, in Part 5, I will show you two different methods that you can use to guard against such attacks.

• ITPro Today's 2025 IT Priorities Report

  Aug 8, 2025
  |

  2 Min Read

• Edge Computing Trends: Adoption, Challenges, and Future Outlook

  Jul 15, 2025
  |

  2 Min Read

• ITPro Today’s 2024 State of DevOps Report

  Dec 16, 2024
  |

  2 Min Read

• BCDR Basics: A Quick Reference Guide for Business Continuity & Disaster Recovery

  Oct 10, 2024
  |

  1 Min Read