I am writing a PHP application that manages some LDAP entries I have a page that is given from a given branch Shows entries and filters on some object classes (only some authorized users, etc.) I was wondering if it could bring 'raw' url-defined filters to the ldap_search () function or any type of security issue.
The filter will be set, as if something:
"(& Amp; (objectClass = myClass1) (objectClass = myClass2))". $ _GET ['Filters']. ")" Of course, I never write never in SQL, but using LDAP functions? I do not see any risk of doing this, am I wrong?
Note: I do not care about things like incorrect filter syntax, etc. Because when I generate URLs, avoid elsewhere. In the case of hand-defined filters with errors, the user is OK to show the error.
Unlike SQL queries, LDAP does not update search queries, thus it is not very likely That they can change anything Apart from this, it is highly unlikely that they will be able to get around the permissions, because the permissions are not based on related DN and search queries.
I have worked with LDAP for about 3 years and have never been worried about it, but of course I did not tell users what kind of DB they were talking to.
IMO, it's OK to do this
Comments
Post a Comment