The PHP Function LDAP_Escape()

A string is a sequence of characters that form the basis for all written communication. In PHP, strings can be concatenated together to form complex phrases and characters can be escaped in certain contexts to ensure that they are displayed correctly. For example, when you use double quotes, PHP will escape any variables or escape sequences that may appear within the string and will only display a single quote if an apostrophe appears in the string. In the same way, if you use a new line in your source code, that will not display as a new line when the string is rendered on the web page.

In LDAP, a string is called a distinguished name (dn). When a dn is used in a query, it must be escaped in order to avoid potential security issues. The ldap_escape() function enables you to escape LDAP metacharacters in a dn so that it can be used safely with LDAP.

You can also use the ldap_escape() in a filter to sanitize LDAP input before it is passed into the filter. This is a good practice since many attacks against LDAP involve user input and can result in unauthorized queries or content modification inside the LDAP tree. The Symfony LDAP component uses the ldap::escape method to sanitize user input for this purpose.

The ldap_escape() method is part of the LDAP API and can be found in the ldap/src/ldap.php file of the XAMPP project. It is not activated by default in XAMPP so you must either install the LDAP extension or pass the -i flag to php when using the command line.

Andreas Behr - CTO of DesertCoderz
You are a developer and looking for Shopware projects?
Apply Now!

ldap_escape example


        return $this->entryManager ??= new EntryManager($this->getConnection());
    }

    public function createQuery(string $dn, string $query, array $options = []): QueryInterface
    {
        return new Query($this->getConnection()$dn$query$options);
    }

    public function escape(string $subject, string $ignore = '', int $flags = 0): string
    {
        $value = ldap_escape($subject$ignore$flags);

        // Per RFC 4514, leading/trailing spaces should be encoded in DNs, as well as carriage returns.         if ($flags & \LDAP_ESCAPE_DN) {
            if (!empty($value) && ' ' === $value[0]) {
                $value = '\\20'.substr($value, 1);
            }
            if (!empty($value) && ' ' === $value[\strlen($value) - 1]) {
                $value = substr($value, 0, -1).'\\20';
            }
            $value = str_replace("\r", '\0d', $value);
        }

        
Home | Imprint | This part of the site doesn't use cookies.