Posted by �lvaro G. Vicario on 08/22/07 22:52

yawnmoth escribió:
> $sr=ldap_search($ds, "", "(& (sn=$_GET[lastname]) (givenName=
> $_GET[firstname]*))");
>
> If $_GET[lastname] contains a ), an attacker could escape out of the
> first part of the LDAP query and perform ldap injection, as it were
> (not sure what can be done with ldap injection, though).
>
> My question is... how do I prevent this? Would I escape ) with \)?
> Would there be other characters I'd need to escape, as well?

I haven't used LDAP mysql, but the olders comment in the ldap_search()
manual page says:

Be careful of special characters when generating filters from user input.
*, (, ), \ and NUL should be backslash-escaped. See section 4 of RFC
2254 (I found it here:
http://www.cis.ohio-state.edu/htbin/rfc/rfc2254.html)

The link is broken but you can Google for rfc2254 if interested.


--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor austrohúngaro: http://www.demogracia.com
--

[Back to original message]