Say I have the following in a PHP script of mine:

$sr=ldap_search($ds, "", "(& (sn=$_GET[lastname]) (givenName=
$_GET[firstname]*))");

If $_GET[lastname] contains a ), an attacker could escape out of the
first part of the LDAP query and perform ldap injection, as it were
(not sure what can be done with ldap injection, though).

My question is... how do I prevent this? Would I escape ) with \)?
Would there be other characters I'd need to escape, as well?

Is there a more appropriate newsgroup for questions like this?

yawnmoth escribió:

Quote:

$sr=ldap_search($ds, "", "(& (sn=$_GET[lastname]) (givenName=
$_GET[firstname]*))");
>
If $_GET[lastname] contains a ), an attacker could escape out of the
first part of the LDAP query and perform ldap injection, as it were
(not sure what can be done with ldap injection, though).
>
My question is... how do I prevent this? Would I escape ) with \)?
Would there be other characters I'd need to escape, as well?

I haven't used LDAP mysql, but the olders comment in the ldap_search()
manual page says:

Be careful of special characters when generating filters from user input.
*, (, ), \ and NUL should be backslash-escaped. See section 4 of RFC
2254 (I found it here:
http://www.cis.ohio-state.edu/htbin/rfc/rfc2254.html)

The link is broken but you can Google for rfc2254 if interested.


--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor austrohúngaro: http://www.demogracia.com
--