473,378 Members | 1,346 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > protecting against ldap injection?

Join Bytes to post your question to a community of 473,378 software developers and data experts.

protecting against ldap injection?

Say I have the following in a PHP script of mine:

$sr=ldap_search($ds, "", "(& (sn=$_GET[lastname]) (givenName=
$_GET[firstname]*))");

If $_GET[lastname] contains a ), an attacker could escape out of the
first part of the LDAP query and perform ldap injection, as it were
(not sure what can be done with ldap injection, though).

My question is... how do I prevent this? Would I escape ) with \)?
Would there be other characters I'd need to escape, as well?

Is there a more appropriate newsgroup for questions like this?

Aug 22 '07 #1
1 4133
yawnmoth escribió:
$sr=ldap_search($ds, "", "(& (sn=$_GET[lastname]) (givenName=
$_GET[firstname]*))");

If $_GET[lastname] contains a ), an attacker could escape out of the
first part of the LDAP query and perform ldap injection, as it were
(not sure what can be done with ldap injection, though).

My question is... how do I prevent this? Would I escape ) with \)?
Would there be other characters I'd need to escape, as well?
I haven't used LDAP mysql, but the olders comment in the ldap_search()
manual page says:

Be careful of special characters when generating filters from user input.
*, (, ), \ and NUL should be backslash-escaped. See section 4 of RFC
2254 (I found it here:
http://www.cis.ohio-state.edu/htbin/rfc/rfc2254.html)

The link is broken but you can Google for rfc2254 if interested.
--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor austrohúngaro: http://www.demogracia.com
--
Aug 22 '07 #2
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
Defending against SQL injection....
by: Griff | last post by:
I have a multi-page ASP web application that uses information sent to it from the client in the Request.Forms collection, the Request.QueryString collection and the Request.Cookie collection. ...
ASP / Active Server Pages
3
authenticate against AD
by: GC | last post by:
I'm looking to build a web app that authenticates against my current active directory. Anyone have any examples on how to do this? Thanks!
C# / C Sharp
9
Protecting SQL injection attacks (text input functino)
by: Darrel | last post by:
I'm learning a bit about the SWL injection issues and want to write a shared class that I can call from anywhere in my project to 'sanitize' any incoming text from textfields before sending to the...
ASP.NET
2
sashi
Protection against SQL Injection Attack
by: sashi | last post by:
hi everyone, Below is a simple function that will give you some protection against an SQL Injection attempt. what is SQL injection? SQL injection is a security vulnerability that occurs in...
ASP / Active Server Pages
6
Protecting against SQL injection
by: Tor Erik Soenvisen | last post by:
Hi, How safe is the following code against SQL injection: # Get user privilege digest = sha.new(pw).hexdigest() # Protect against SQL injection by escaping quotes uname = uname.replace("'",...
Python
22
Technical Answer - Protecting code in python
by: flit | last post by:
Hello All, I have a hard question, every time I look for this answer its get out from the technical domain and goes on in the moral/social domain. First, I live in third world with bad gov., bad...
Python
5
Protecting 'contact us' emailing forms
by: Cheb | last post by:
I am writing a simple 'contact us' email form and I am aware I should protect it from code injection and malicious email hijacks. I have used mysql_escape_string() to remove any newlines in the...
PHP
4
Check ID number against Access DB
by: JBiggsCC | last post by:
I have a very simple login page which takes an ID number via a HTML form GET. What is easiest way to check that ID number against an Access DB to see if it exists? I want to redirect with the...
ASP / Active Server Pages
4
Authenticate against Active Directory
by: Jon | last post by:
I am modifying an app for a customer in ASP.Net 1.1. The app is running on a server outside their network, yet they want to authenticate users against their internal active directory set up (they...
ASP.NET
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
One-click Importing Excel Data into a*Database
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
Microsoft Excel
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!