ID: 47607 Comment by: gdr at go2 dot pl Reported By: gdr at go2 dot pl Status: Open Bug Type: Feature/Change Request Operating System: Linux PHP Version: 5.2.9 New Comment:
One implementation of this function in PHP, found here: http://lists.evolvis.org/pipermail/evolvis-commits/2008-November/000054.html is: + function ldap_escape_string($string) //public + { + $string = str_replace(",", '\\,', $string); + $string = str_replace('"', '\\"', $string); + $string = str_replace("'", '\\\'', $string); + $string = str_replace("<", '\\<', $string); + $string = str_replace(">", '\\>', $string); + $string = str_replace(";", '\\;', $string); + $string = str_replace('\\', '\\\\', $string); + $string = str_replace("+", '\\+,', $string); + $string = str_replace("=", '\\=,', $string); + $string = str_replace("#", '\\#', $string); + return $string; + } I haven't, however, read RFC for this and therefore I don't know if it's 100% correct. Previous Comments: ------------------------------------------------------------------------ [2009-03-09 17:36:36] gdr at go2 dot pl Description: ------------ The LDAP module needs a function to escape strings to prevent LDAP injections, like MySQL module has mysql_escape_string() Reproduce code: --------------- $sr=ldap_search($ds, "", "(sn=$_GET[lastname])"); Expected result: ---------------- $sr=ldap_search($ds, "", "(sn=".ldap_escape_string($_GET[lastname]).")"); ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=47607&edit=1