清理LDAP_bind查询

Question

I know that when I query a MySQL database in PHP from user entered data, the data should be sanitized. For a project that I am starting up, I will be authenticating against Active Directory for use login using the ldap_bind() function.

I've taken steps to check for a password to prevent an anonymous bind attempt, but I'm wondering if I need to take any other precautions like I would normally take when using user entered data. Or is this something that Active Directory will take care of itself?

Answer 1

I'm an OpenLDAP kind of guy, but if I'm not mistaken there's no way to exploit this with special characters.

However, that doesn't mean it's not good practice to strip out things you know won't be there, particularly in user names or generated bind paths. For instance:

$myname = preg_replace( "/[^a-zA-Z0-9_\\ -]/", "", $myname );

That would strip everything out except lowercase, uppercase, numbers, underscore, spaces and dash. It's always more secure to use an "allow only this" logic rather than "reject something". You can never think of ALL things to reject.

Answer 2

Be careful to validate that the password is not null. Sounds silly, but according to the LDAP standard a bind with a username and no password is counted as an anonymous bind and will succeed.

If you are using the success/failure of the bind attempt to validate the users credentials then a null password would be a nice way to fake it out.