Securing PowerShell: How to Stop Prompt Injection Attacks, Part 5Securing PowerShell: How to Stop Prompt Injection Attacks, Part 5Securing PowerShell: How to Stop Prompt Injection Attacks, Part 5

[Editor's Note: This is the final part of our comprehensive five-part series examining strategies to prevent prompt injection attacks. For readers interested in the complete context, we recommend reviewingParts 1 , 2 , 3 , and 4 .]

In previous parts of this article series, I gave sobering examples of how an attacker could use a prompt injection attack to access or even destroy your data. Now, I want to show you some countermeasures that you can use to defend against these types of attacks.

I like to use two main techniques. Neither of these techniques is perfect, but you can combine them to have the best of both worlds.

Defending Against Prompt Injection Attacks: Technique No. 1

The first technique involves using a parameterized query. Rather than using the Invoke-SQL cmdlet, this technique uses ADO.NET, which supports parameterized queries.

Like before, the user is prompted to enter a username. Upon doing so, the username is passed to the Perform-Query function. The function then uses a connection string to connect to the SQL Server database , and it creates a SqlConnection object that represents the database connection.

After that, the function creates a command object and then defines the command text. Here is what the command text looks like:

Related:What Are the Best Free Tools for IT Pros?

code_1.png

At first glance, this looks similar to the command from the original script. However, @Username is a parameter, not a literal string. That's an important distinction, and it is what helps prevent a prompt injection attack. The actual parameter value is assigned through this line of code:

code_2.png

This is so effective at preventing a prompt injection attack because SQL Server knows to expect data — not executable code. As such, SQL Server won't even try to execute a command embedded within a prompt. The end result is that a prompt injection attack becomes impossible. Figure 1 shows what happens when I attempt a prompt injection against this script.

The script is no longer vulnerable to a prompt injection attack.

Figure 1. The script is no longer vulnerable to a prompt injection attack.

Here is the script in its entirety:

code_3a.png

While this technique works, it's not perfect. That's because although using parameterized queries will indeed prevent prompt injection attacks, it won't prevent your script from crashing if a user happens to accidentally enter an input string containing a quotation mark or an apostrophe. I know that's a bit outside of the discussion of prompt injection attacks, but whether we are talking about preventing an attack or preventing the use of problematic characters, it all comes down to input sanitization.

Related:PowerShell Remoting in a Workgroup Environment: A Step-by-Step Guide

Defending Against Prompt Injection Attacks: Technique No. 2

That being the case, I have created a function called Normalize-Input. I like to use this function in conjunction with parameterized queries to sanitize the input before attempting a query. As it is written, the function strips away potentially problematic characters such as apostrophes and quotation marks (and more). It also removes various SQL commands .

This function is not ideal for every use case and will likely need to be modified to meet your needs, but it is a good starting point. Here is what the function looks like:

code_4.pngYou will notice that the Param portion of the function uses [ref]. This tells PowerShell that we want to directly modify the contents of the variable that was passed to the function as opposed to returning a value, as is normally done. You will notice the absence of a return statement.

As a way of demonstrating how the function works, I have created a short script that prompts the user to enter a string and then normalizes that string based on the filters contained within the function. If you look at Figure 2, you can see that the string that I typed contained an apostrophe, a couple of quotation marks, and some SQL commands. These were all removed in the normalized string.

Related:10 Most Popular PowerShell Tips and Tricks of 2024

Once again, this function is not appropriate for every situation, but it can be adapted to your own needs.

PowerShell script that prompts the user to enter a string and then normalizes that string based on the filters contained within the function

Figure 2.My function has normalized a potentially problematic input string.

Here is my script:

code_5.png

• ITPro Today's 2025 IT Priorities Report

  Aug 8, 2025
  |

  2 Min Read

• Edge Computing Trends: Adoption, Challenges, and Future Outlook

  Jul 15, 2025
  |

  2 Min Read

• ITPro Today’s 2024 State of DevOps Report

  Dec 16, 2024
  |

  2 Min Read

• BCDR Basics: A Quick Reference Guide for Business Continuity & Disaster Recovery

  Oct 10, 2024
  |

  1 Min Read