php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #47607 Add LDAP escaping
Submitted: 2009-03-09 17:36 UTC Modified: 2013-10-23 08:47 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: gdr at go2 dot pl Assigned: daverandom (profile)
Status: Closed Package: LDAP related
PHP Version: * OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: gdr at go2 dot pl
New email:
PHP Version: OS:

 

 [2009-03-09 17:36 UTC] gdr at go2 dot pl
Description:
------------
The LDAP module needs a function to escape strings to prevent LDAP injections, like MySQL module has mysql_escape_string()

Reproduce code:
---------------
$sr=ldap_search($ds, "", "(sn=$_GET[lastname])");

Expected result:
----------------
$sr=ldap_search($ds, "", "(sn=".ldap_escape_string($_GET[lastname]).")");


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-03-09 21:41 UTC] gdr at go2 dot pl
One implementation of this function in PHP, found here:

http://lists.evolvis.org/pipermail/evolvis-commits/2008-November/000054.html

is:

+	function ldap_escape_string($string) //public
+	{
+		 $string = str_replace(",", '\\,', $string);
+		 $string = str_replace('"', '\\"', $string);
+		 $string = str_replace("'", '\\\'', $string);
+		 $string = str_replace("<", '\\<', $string);
+		 $string = str_replace(">", '\\>', $string);
+		 $string = str_replace(";", '\\;', $string);
+		 $string = str_replace('\\', '\\\\', $string);
+		 $string = str_replace("+", '\\+,', $string);
+		 $string = str_replace("=", '\\=,', $string);
+		 $string = str_replace("#", '\\#', $string);
+		return $string;
+	}

I haven't, however, read RFC for this and therefore I don't know if it's 100% correct.
 [2011-01-02 02:19 UTC] jani@php.net
-Package: Feature/Change Request +Package: LDAP related -Operating System: Linux +Operating System: * -PHP Version: 5.2.9 +PHP Version: *
 [2013-09-29 21:54 UTC] daverandom@php.net
-Assigned To: +Assigned To: daverandom
 [2013-10-23 08:47 UTC] daverandom@php.net
-Status: Assigned +Status: Closed
 [2013-10-23 08:47 UTC] daverandom@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Dec 08 23:05:53 2022 UTC