Prevent LDAP injection

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: csharp-security/ldap-injection

Language: C#

Severity: Warning

Category: Security

CWE: 90

Description

Unvalidated user inputs may lead to LDAP injection. Always escape characters in your LDAP queries. Do not build LDAP queries manually.

Learn More

Non-Compliant Code Examples

public class MyController : Controller
{
    public bool userExists(string user, string pass)
    {
        DirectoryEntry directory  = new DirectoryEntry();
        DirectorySearcher directorySearch  = new DirectorySearcher(directory);

        directorySearch.Filter = "(&(uid=" + user + ")(userPassword=" + pass + "))";

        return directorySearch.FindOne() != null;
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis