- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/ldap-injection
Language: PHP
Severity: Error
Category: Security
CWE: 90
LDAP injection is a type of attack used to exploit applications that construct LDAP statements from user-supplied input. This can cause unauthorized viewing of data, privilege escalation, or other unintended behaviors.
The importance of this rule lies in its ability to prevent such attacks, safeguarding the application and its data. By not properly sanitizing user input before using it in an LDAP statement, you may be exposing your system to potential security risks.
To follow this rule and avoid LDAP injection, always sanitize and validate user input before using it in an LDAP statement. This can be achieved by using the ldap_escape
function in PHP for escaping special characters in the input. Additionally, using regular expressions or other validation methods to ensure the input matches expected patterns can further enhance security.
<?php
// Insecure: Using unsanitized user input in an LDAP search
$ldapconn = ldap_connect("ldap://example.com");
$base_dn = "ou=users,dc=example,dc=com";
$filter = "(uid=" . $_POST['username'] . ")";
if ($ldapconn) {
ldap_bind($ldapconn, "cn=admin,dc=example,dc=com", "admin_password");
$result = ldap_search($ldapconn, $base_dn, $filter);
$entries = ldap_get_entries($ldapconn, $result);
foreach ($entries as $entry) {
echo "User: " . $entry["uid"][0];
}
}
<?php
// Secure: Sanitize and validate user input before LDAP bind
$ldapconn = ldap_connect("ldap://example.com");
if ($ldapconn) {
$username = ldap_escape($_GET['username'], '', LDAP_ESCAPE_DN);
$ldaprdn = 'uid=' . $username . ',ou=users,dc=example,dc=com';
$ldappass = $_GET['password'];
// Additional validation for the username and password
if (preg_match('/^[a-zA-Z0-9._-]+$/', $username) && !empty($ldappass)) {
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if ($ldapbind) {
echo "LDAP bind successful.";
} else {
echo "LDAP bind failed.";
}
} else {
echo "Invalid input.";
}
}