From d6ad280fb4a0ed41b3db85211675453d67e8e049 Mon Sep 17 00:00:00 2001
From: Friedrich Weinmann <FriedrichWeinmann@users.noreply.github.com>
Date: Sun, 9 Dec 2018 21:22:19 +0100
Subject: [PATCH] Invoke-DbaSqlQuery parameter example (#4791)

---
 functions/Invoke-DbaQuery.ps1 | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/functions/Invoke-DbaQuery.ps1 b/functions/Invoke-DbaQuery.ps1
index 349a5b493e..f145a272a5 100644
--- a/functions/Invoke-DbaQuery.ps1
+++ b/functions/Invoke-DbaQuery.ps1
@@ -85,7 +85,15 @@ function Invoke-DbaQuery {
         PS C:\> Get-DbaDatabase -SqlInstance "server1", "server1\nordwind", "server2" | Invoke-DbaQuery -File "C:\scripts\sql\rebuild.sql"
 
         Runs the sql commands stored in rebuild.sql against all accessible databases of the instances "server1", "server1\nordwind" and "server2"
-
+        
+    .EXAMPLE
+        PS C:\> Invoke-DbaQuery -SqlInstance . -Query 'SELECT * FROM users WHERE Givenname = @name' -SqlParameters @{ Name = "Maria" }
+        
+        Executes a simple query against the users table using SQL Parameters.
+        This avoids accidental SQL Injection and is the safest way to execute queries with dynamic content.
+        Keep in mind the limitations inherent in parameters - it is quite impossible to use them for content references.
+        While it is possible to parameterize a where condition, it is impossible to use this to select which columns to select.
+        The inserted text will always be treated as string content, and not as a reference to any SQL entity (such as columns, tables or databases).
     #>
     [CmdletBinding(DefaultParameterSetName = "Query")]
     param (
@@ -319,4 +327,4 @@ function Invoke-DbaQuery {
         Test-DbaDeprecation -DeprecatedOn '1.0.0' -Alias Invoke-DbaCmd
         Test-DbaDeprecation -DeprecatedOn "1.0.0" -EnableException:$false -Alias Invoke-DbaSqlQuery
     }
-}
\ No newline at end of file
+}