php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #47607 Add LDAP escaping
Submitted: 2009-03-09 17:36 UTC Modified: 2013-10-23 08:47 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: gdr at go2 dot pl Assigned: daverandom (profile)
Status: Closed Package: LDAP related
PHP Version: * OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
35 - 24 = ?
Subscribe to this entry?

 
 [2009-03-09 17:36 UTC] gdr at go2 dot pl
Description:
------------
The LDAP module needs a function to escape strings to prevent LDAP injections, like MySQL module has mysql_escape_string()

Reproduce code:
---------------
$sr=ldap_search($ds, "", "(sn=$_GET[lastname])");

Expected result:
----------------
$sr=ldap_search($ds, "", "(sn=".ldap_escape_string($_GET[lastname]).")");


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-03-09 21:41 UTC] gdr at go2 dot pl
One implementation of this function in PHP, found here:

http://lists.evolvis.org/pipermail/evolvis-commits/2008-November/000054.html

is:

+	function ldap_escape_string($string) //public
+	{
+		 $string = str_replace(",", '\\,', $string);
+		 $string = str_replace('"', '\\"', $string);
+		 $string = str_replace("'", '\\\'', $string);
+		 $string = str_replace("<", '\\<', $string);
+		 $string = str_replace(">", '\\>', $string);
+		 $string = str_replace(";", '\\;', $string);
+		 $string = str_replace('\\', '\\\\', $string);
+		 $string = str_replace("+", '\\+,', $string);
+		 $string = str_replace("=", '\\=,', $string);
+		 $string = str_replace("#", '\\#', $string);
+		return $string;
+	}

I haven't, however, read RFC for this and therefore I don't know if it's 100% correct.
 [2011-01-02 02:19 UTC] jani@php.net
-Package: Feature/Change Request +Package: LDAP related -Operating System: Linux +Operating System: * -PHP Version: 5.2.9 +PHP Version: *
 [2013-09-29 21:54 UTC] daverandom@php.net
-Assigned To: +Assigned To: daverandom
 [2013-10-23 08:47 UTC] daverandom@php.net
-Status: Assigned +Status: Closed
 [2013-10-23 08:47 UTC] daverandom@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Dec 04 17:05:52 2022 UTC