All geek questions in one place

Sanitize LDAP_bind query

I know that when I query a MySQL database for PHP from user input, the data must be sanitized. For the project I am running, I will authenticate with Active Directory to use the login using the ldap_bind () function.

I took steps to verify the password in order to prevent an anonymous attempt at linking, but I am wondering if I need to take any other precautions, as usual, when using user-entered data. Or is it that Active Directory takes care of itself?

+4
source share
2 answers

I'm a guy like OpenLDAP, but if I'm not mistaken, we have no way to use it with special characters.

However, this does not mean that it is not a good practice to cut out what you know will not be there, especially in usernames or generated binding paths. For instance:

$ myname = preg_replace ("/ [^ a-zA-Z0-9 _ \ -] /", "", $ myname);

This would separate everything except lowercase, uppercase, numbers, underscores, spaces and dashes. It is always safer to use "allow only this" logic, rather than "reject something." You can never think of all things to reject.

+4
source

Be careful to check that the password is not zero. It sounds silly, but according to the LDAP standard, binding with a username and without a password is considered an anonymous binding and will succeed.

If you use the success / failure of a binding attempt to verify user credentials, then an empty password would be a good way to fake it.

+2
source

Source: https://habr.com/ru/post/1332528/

More articles:


All Articles