I'm writing a PHP application that manages some LDAP entries. I have one page that shows entries from a given branch and filtering on some objectClasses (only to certain authorized users, etc. etc.).I was wondering if it is safe to pass 'raw' url-defined filters to the ldap_search() function, or this could bring to security issues of any kind.The filter that will be set will then be something like:\[code\]"(&(&(objectClass=myClass1)(objectClass=myClass2))". $_GET['filter'] .")"\[/code\]Of course, I will never write something like this in SQL, but using LDAP functions? I don't see any possible risk of doing this, am I wrong?NOTE: I don't care about things like wrong filters syntax, etc. since I'm doing escaping somewhere else, while generating the URL. In case of hand-defined filters with errors, It is ok to show an error to the user.
Is it safe to pass “raw” search filters to ldap_search() function?
- Thread starter spammer
- Start date