how can LDAP injection blocked?

Michael Ströder michael at
Tue Apr 28 23:23:38 CEST 2009

Yancey Yeargan wrote:
> I believe he is asking how to defend against potential web-based LDAP
> filter injection attacks (similar to SQL injection attacks),

Ah ok. To prevent someone to pass in special filter chars these have to
be escaped before the user's input is used as (partial) value in the
LDAP filter string representation.

One should use the functions in module ldap.filter for that:

> or generally how to validate user input.

This depends on the application's context and could be handled in the
web app library.

Ciao, Michael.

More information about the python-ldap mailing list