PHP :: Request #47607 :: Add LDAP escaping

Add LDAP escaping

Submitted:

2009-03-09 17:36 UTC

Modified:

2013-10-23 08:47 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

gdr at go2 dot pl

Assigned:

daverandom (profile)

Status:

Closed

Package:

LDAP related

PHP Version:

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	gdr at go2 dot pl
New email:
PHP Version:		OS:

New Comment:

[2009-03-09 17:36 UTC] gdr at go2 dot pl

Description:
------------
The LDAP module needs a function to escape strings to prevent LDAP injections, like MySQL module has mysql_escape_string()

Reproduce code:
---------------
$sr=ldap_search($ds, "", "(sn=$_GET[lastname])");

Expected result:
----------------
$sr=ldap_search($ds, "", "(sn=".ldap_escape_string($_GET[lastname]).")");

Patches

Pull Requests

Pull requests:

Add ldap_escape() (php-src/458)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-03-09 21:41 UTC] gdr at go2 dot pl

One implementation of this function in PHP, found here:

http://lists.evolvis.org/pipermail/evolvis-commits/2008-November/000054.html

is:

+	function ldap_escape_string($string) //public
+	{
+		 $string = str_replace(",", '\\,', $string);
+		 $string = str_replace('"', '\\"', $string);
+		 $string = str_replace("'", '\\\'', $string);
+		 $string = str_replace("<", '\\<', $string);
+		 $string = str_replace(">", '\\>', $string);
+		 $string = str_replace(";", '\\;', $string);
+		 $string = str_replace('\\', '\\\\', $string);
+		 $string = str_replace("+", '\\+,', $string);
+		 $string = str_replace("=", '\\=,', $string);
+		 $string = str_replace("#", '\\#', $string);
+		return $string;
+	}

I haven't, however, read RFC for this and therefore I don't know if it's 100% correct.

[2011-01-02 02:19 UTC] jani@php.net

-Package: Feature/Change Request +Package: LDAP related -Operating System: Linux +Operating System: * -PHP Version: 5.2.9 +PHP Version: *

[2013-09-29 21:54 UTC] daverandom@php.net

-Assigned To: +Assigned To: daverandom

[2013-10-23 08:47 UTC] daverandom@php.net

-Status: Assigned +Status: Closed

[2013-10-23 08:47 UTC] daverandom@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 17:01:58 2024 UTC