how can LDAP injection blocked?
Burak Arslan
burak at arskom.com.tr
Tue Apr 28 15:10:43 CEST 2009
Michael Ströder yazmış:
> mete bilgin wrote:
>
>> I'm developing a web-based ldap gui with python ( with python-ldap ).
>> And i miss something about security. How can i blocked ldap injection?
>>
>
> Could you please elaborate on what you mean with "ldap injection"?
>
>
i guess what he means is something like this: imagine the following filter:
(&(objectClass=inetOrgPerson)(uid=$input))
where $input comes from a web form, or similar. if $input==')' you get
(&(objectClass=inetOrgPerson)(uid=)))
which is invalid.
so some form of input validation must be used.
please correct me if i'm wrong
best regards
burak
More information about the python-ldap
mailing list