Print

Print


I am querying LDAP via PHP and was searching for resources regarding how I
should manage the data I get out of it. When I came across this post, I felt
compelled to reply because the code that had been written in this thread is
susceptible to an injection attack. I doubt that would be a likely thing to
happen (albeit malicious consequence), but if the query is bound to a user's
account, it could compromise some very sensitive data for that user, and if
it's bound to someone who has even more access?

I wrote the following earlier which escapes a term for a filter (however,
not for distinguished names, which I hope anyone would keep in mind):

        private static function ldap_filter_escape($str) {
                $map = array( 
                        "*"    => "\\2a",
                        "("    => "\\28",
                        ")"    => "\\29",
                        "\\"   => "\\5c",
                        chr(0) => "\\00",
                );
                return str_replace(array_keys($map),array_values($map),$str);
        }


On Mon, 15 Jun 2009 11:54:32 -0400, Tyler Whitney <[log in to unmask]> wrote:

>Thank you very much!
>
>In fact I hadn't remembered you covering it, I apologize for not reading
>thoroughly.
>
>Thanks for sparking my mind about the print_r command.... I was trying
>to see how the complex array was organized. I now get the structure.
>This is what the code I was testing with looked like:
>
>$ds = $LDAPLink;
>            // $person is all or part of a person's name, eg "Jo"
>            $person = "Tyler";
>
>            $dn = "ou=People,dc=uvm,dc=edu";
>            $filter="(|(sn=$person*)(givenname=$person*))";
>            $justthese = array("ou", "sn", "givenname", "mail");
>
>            $sr=ldap_search($ds, $dn, $filter, $justthese);
>
>            $info = ldap_get_entries($ds, $sr);
>
>--------------
>
>from there I wasn't figuring out the structure of $info... but as you
>mentioned, I just did a print_r and I now see quite the complexity.
>Looks like I will be needing some for loops to format the information
>according, I'm not quite sure this is user interface friendly the way it
>is. ;-)
>
>My appreciation goes out! And again I apologize for not reading the
>previous message thoroughly before posting again.
>
>Tyler
>>  |