我们正在构建一个通过PHP使用LDAP的应用程序,我想到有什么可以做到注入LDAP更好,但更好的是如何防止LDAP注入?
构建LDAP过滤器时,必须确保根据
RFC2254处理过滤器值:
Any control characters with an ACII
code < 32 as well as the characters
with special meaning in LDAP filters
“*”,“(“,“)”,and “\” (the backslash)
are converted into the representation
of a backslash followed by two hex
digits representing the hexadecimal
value of the character.
Zend_Ldap例如使用以下例程
//[...] $val = str_replace(array('\\','*','(',')'),array('\5c','\2a','\28','\29'),$val); for ($i = 0; $i<strlen($val); $i++) { $char = substr($val,$i,1); if (ord($char)<32) { $hex = dechex(ord($char)); if (strlen($hex) == 1) $hex = '0' . $hex; $val = str_replace($char,'\\' . $hex,$val); } } //[...]