PHP :: Request #47607 :: Add LDAP escaping

Add LDAP escaping

Submitted:

2009-03-09 17:36 UTC

Modified:

2013-10-23 08:47 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

gdr at go2 dot pl

Assigned:

daverandom (profile)

Status:

Closed

Package:

LDAP related

PHP Version:

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 48 + 3 = ?
Subscribe to this entry?

[2009-03-09 17:36 UTC] gdr at go2 dot pl

Description:
------------
The LDAP module needs a function to escape strings to prevent LDAP injections, like MySQL module has mysql_escape_string()

Reproduce code:
---------------
$sr=ldap_search($ds, "", "(sn=$_GET[lastname])");

Expected result:
----------------
$sr=ldap_search($ds, "", "(sn=".ldap_escape_string($_GET[lastname]).")");

Patches

Add a Patch

Pull Requests

Pull requests:

Add ldap_escape() (php-src/458)

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-03-09 21:41 UTC] gdr at go2 dot pl

One implementation of this function in PHP, found here:

http://lists.evolvis.org/pipermail/evolvis-commits/2008-November/000054.html

is:

+	function ldap_escape_string($string) //public
+	{
+		 $string = str_replace(",", '\\,', $string);
+		 $string = str_replace('"', '\\"', $string);
+		 $string = str_replace("'", '\\\'', $string);
+		 $string = str_replace("<", '\\<', $string);
+		 $string = str_replace(">", '\\>', $string);
+		 $string = str_replace(";", '\\;', $string);
+		 $string = str_replace('\\', '\\\\', $string);
+		 $string = str_replace("+", '\\+,', $string);
+		 $string = str_replace("=", '\\=,', $string);
+		 $string = str_replace("#", '\\#', $string);
+		return $string;
+	}

I haven't, however, read RFC for this and therefore I don't know if it's 100% correct.

[2011-01-02 02:19 UTC] jani@php.net

-Package: Feature/Change Request +Package: LDAP related -Operating System: Linux +Operating System: * -PHP Version: 5.2.9 +PHP Version: *

[2013-09-29 21:54 UTC] daverandom@php.net

-Assigned To: +Assigned To: daverandom

[2013-10-23 08:47 UTC] daverandom@php.net

-Status: Assigned +Status: Closed

[2013-10-23 08:47 UTC] daverandom@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 00:01:29 2024 UTC