0

I'm getting an error in my powershell script that is the following:

Exception calling "ExecuteNonQuery" with "0" argument(s): "Invalid column name 'False'.

function InsertData {
    Param (
    [string]$username,
    [string]$fullname,
    [string]$email,
    [string]$phone
    )
    $DBServer = "SERVERNAME"
    $DBName = "Tool"
    $sqlConnection = New-Object System.Data.SqlClient.SqlConnection
    $sqlConnection.ConnectionString = "Server=$DBServer;Database=$DBName;Integrated Security=False;User Id = User;password = password"
    $sql = "INSERT INTO Employee (LocationId,FullName,username,email,phone,EquipId,SystemDetailId,migrationdate,UAT,bdpaccess) VALUES ('" + $location + "','" + $fullname + "','" + $username + "','" + $email + "','" + $phone + "',5,4," + $migrationdate + ",False,False)"

    $sqlCommand = New-Object System.Data.SqlClient.SqlCommand
    $sqlCommand.Connection = $sqlConnection

    $sqlCommand.CommandText = $sql

    write-host $sql
    $sqlConnection.Open()
    $sqlCommand.ExecuteNonQuery()
    $sqlConnection.Close()
}

I'm apparently doing something wrong where I'm typing "False,False" as part of the statement. I tried all caps, lowercase, 0 and 1, nothing works. When I write it to the powershell command window using Write-Host $sql, it looks fine.

Improve this question
4
  • If the SQL data type is bit, specify zero for the literal. Consider a parameterized query. Commented Jun 26, 2017 at 18:52
  • How is this called? It looks like an sql injection nightmare to me. Even benign data like someone with an apostrophe in their full name ("O'brien", Bobby Tables) will kill this dead. Commented Jun 26, 2017 at 18:54
  • I tried parameters but they didn't work, they got too many errors. Commented Jun 26, 2017 at 19:11
  • I'm not worried about injection, this isn't public. Nobody's inserting anything into any fields. It's powershell. I'm calling it by typing it from the command prompt. Commented Jun 26, 2017 at 19:11

1 Answer 1

Reset to default
2

Sql Server (like most other DBs) does not have a real boolean type. There is no False. It does have a bit type with values 0 (false) and 1 (true). I've also seen char(1) (ie: 'Y' and 'N') and DateTime types (where NULL is false and any other value is the date on which the field became true) used as popular alternatives.

While I'm here, that code looks scary. Sql Injection is a real thing, and it's a big deal. Even benign data like some with the last name "O'Brien" could throw this query off in a big way. You need to look into parameterized queries. At minimum, looking more at the query text, I suspect the $migrationdate value needs single quotes around it.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

tried parameters but they didn't work, they got too many errors. I'm not worried about injection, this isn't public. Nobody's inserting anything into any fields. It's powershell. I'm calling it by typing it from the command prompt.
Also I tried quotes around $migrationdate and it didn't like that. The string says 2/20/2017.
Do me a favor, and don't stop with this until you can correctly insert a name with an apostrophe. It's not always about malicious injection; perfectly normal data can break this, too, and parameterized queries are the easiest and best solution.
Parameterized queries gave me this error: The splatting operator '@' cannot be used to reference variables in an expression. '@dt' can be used only as an argument to a command. when trying to use sqlCommand.Parameters.Add(@dt, $migrationdate) or literally anything else I tried to add as a parameter.
I fixed the errors I was getting with parameters, apparently 0 and 1 as booleans are the only way to get it to work.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.