http://blogs.msdn.com/powershell/archive/2006/11/23/protecting-against-malicious-code-injection.aspxIf you are writing scripts that accept input from users - you need to be aware of the potential dangers of Malicious Code-Injection. Below is a good good article on this topic: http://www.site-reference.com/articles/Website-Development/Malicious-Code-Injection-It-s-Not-Just-for-SQL-Anymore.htmlen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/powershell/archive/2006/11/23/protecting-against-malicious-code-injection.aspx#1141425Fri, 24 Nov 2006 19:29:57 GMT91d46819-8472-40ad-a661-2c78acb4018c:1141425Mike<p>So let's say you have a situation where you _need_ to include user input in an invoke-expression statement.</p> <p>What would be the best approach to escaping the input? I imagine the usual characters like &quot; ' ; etc would need to be backticked. Perhaps there needs to be a standard function for this kind of thing?</p>http://blogs.msdn.com/powershell/archive/2006/11/23/protecting-against-malicious-code-injection.aspx#1149206Sat, 25 Nov 2006 22:38:29 GMT91d46819-8472-40ad-a661-2c78acb4018c:1149206PowerShellTeam<p>It really depends on what you mean by &quot;include the user input&quot;. If you just want to use it as data, put it in a variable and then reference the variable:</p> <p>$i = read-host</p> <p>invoke-expression 'write-output $i'</p> <p>There is no need to quote the user's input since it's just a value. Of course there's also no reason to use invoke-expression in this case since</p> <p>write-output $i</p> <p>will work fine. Perhaps you can expand on the scenario where you need to include the user's input?</p> <p>-bruce</p> <p>--------------------------</p> <p>Bruce Payette [MSFT]</p> <p>PowerShell Technical Lead</p> <p>Microsoft Corp.</p> http://blogs.msdn.com/powershell/archive/2006/11/23/protecting-against-malicious-code-injection.aspx#1160367Mon, 27 Nov 2006 20:05:47 GMT91d46819-8472-40ad-a661-2c78acb4018c:1160367PowerShellTeam<p>Another thing to keep in mind is what you consider to be your trust boundary. </p> <p>Most commonly, improper use of Invoke-Expression will just result in buggy code -- the user might use a semicolon and wonder why they are getting an error message. For that reason, you should avoid Invoke-Expression when dealing with user input unless necessary.</p> <p>If the user is running your script on their own machine under their own credentials, then you don't have to worry about the security aspects of Invoke-Expression, as they could just as easily do whatever they wanted to trick your script into anyways. If you've taken input from an untrusted user on the network, an untrusted user on a web page input field, or some other untrusted source, THEN you should be extremely conservative with what input you allow.</p> <p>Code injection attacks become attacks once they cross a trust boundary. If they don't cross a trust boundary, they are just a complicated and buggy way of doing what a user could already do.</p> <p>Lee</p>