Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
LDAP injection is a type of attack used to exploit applications that construct LDAP statements from user-supplied input. This can cause unauthorized viewing of data, privilege escalation, or other unintended behaviors.
The importance of this rule lies in its ability to prevent such attacks, safeguarding the application and its data. By not properly sanitizing user input before using it in an LDAP statement, you may be exposing your system to potential security risks.
To follow this rule and avoid LDAP injection, always sanitize and validate user input before using it in an LDAP statement. This can be achieved by using the ldap_escape function in PHP for escaping special characters in the input. Additionally, using regular expressions or other validation methods to ensure the input matches expected patterns can further enhance security.
Non-Compliant Code Examples
<?php// Insecure: Using unsanitized user input in an LDAP search
$ldapconn=ldap_connect("ldap://example.com");$base_dn="ou=users,dc=example,dc=com";$filter="(uid=".$_POST['username'].")";if($ldapconn){ldap_bind($ldapconn,"cn=admin,dc=example,dc=com","admin_password");$result=ldap_search($ldapconn,$base_dn,$filter);$entries=ldap_get_entries($ldapconn,$result);foreach($entriesas$entry){echo"User: ".$entry["uid"][0];}}
Compliant Code Examples
<?php// Secure: Sanitize and validate user input before LDAP bind
$ldapconn=ldap_connect("ldap://example.com");if($ldapconn){$username=ldap_escape($_GET['username'],'',LDAP_ESCAPE_DN);$ldaprdn='uid='.$username.',ou=users,dc=example,dc=com';$ldappass=$_GET['password'];// Additional validation for the username and password
if(preg_match('/^[a-zA-Z0-9._-]+$/',$username)&&!empty($ldappass)){$ldapbind=ldap_bind($ldapconn,$ldaprdn,$ldappass);if($ldapbind){echo"LDAP bind successful.";}else{echo"LDAP bind failed.";}}else{echo"Invalid input.";}}
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- php-security # Rules to enforce PHP security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines