You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Hendy Irawan <he...@soluvas.com> on 2012/05/30 18:55:15 UTC
How to Escape LDAP Filter Query ?
Dear Apache Directory users,
How do I escape an LDAP filter query ?
e.g.
String searchTerm = ...; // from user input
String filter = "(&(objectclass=person)(cn=*" + escapeFunction(searchTerm)
+ "*))";
What is this escapeFunction ?
--
Hendy Irawan - on Twitter <http://twitter.com/hendybippo> - on
LinkedIn<http://id.linkedin.com/in/hendyirawan>
Web Developer | Bippo Indonesia <http://www.bippo.co.id/> | Akselerator
Bisnis | Bandung
Re: How to Escape LDAP Filter Query ?
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 5/30/12 10:08 PM, David Parker a écrit :
> On 05/30/2012 12:55 PM, Hendy Irawan wrote:
>> Dear Apache Directory users,
>>
>> How do I escape an LDAP filter query ?
>>
>> e.g.
>>
>> String searchTerm = ...; // from user input
>> String filter = "(&(objectclass=person)(cn=*" +
>> escapeFunction(searchTerm)
>> + "*))";
>>
>> What is this escapeFunction ?
>>
>
> Hello,
>
> What exactly do you want to escape in searchTerm? Are you trying to
> prevent someone from entering something like
> "johndoe,o=x.com,dc=x,dc=com" as the search term? If that is the
> case, then you could sanitize the input using something like this:
>
> if( searchTerm.contains(",") )
> searchTerm = searchTerm.substring(0,searchTerm.indexOf(","));
>
> Or you could simply sanitize the user input by checking for various
> characters (& | ! , etc.) and rejecting the input if one of these is
> found in the string.
>
> I'm not much of a Java programmer, so there is probably a better way,
> but I hope this helps.
>
> - Dave
>
I guess expect something like a Filter.escape( String ) method that
creates a filter with escaped chars.
So if you call Filter.escape( "(myAttr=I'm a \u002a)" ), it will return
the escaped string "(myAttr=I'm a \\2A)"
Filter special chars in values are :
'*' translates to \2A
'(' translates to \28
')' translates to \29
'\' translates to \5C
0x00 translates to \00
Note that you still have to provide a String that distinguishes those 5
characters, so at some point, it's probably enough to do the escaping by
hand. The method I described would just be a bit superfluous...
Also note that no other character needs to be escaped but those 5 ones.
There is no risk that a &, | or ! can be confused with an operator in a
value.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: How to Escape LDAP Filter Query ?
Posted by David Parker <dp...@utica.edu>.
On 05/30/2012 12:55 PM, Hendy Irawan wrote:
> Dear Apache Directory users,
>
> How do I escape an LDAP filter query ?
>
> e.g.
>
> String searchTerm = ...; // from user input
> String filter = "(&(objectclass=person)(cn=*" + escapeFunction(searchTerm)
> + "*))";
>
> What is this escapeFunction ?
>
Hello,
What exactly do you want to escape in searchTerm? Are you trying to
prevent someone from entering something like
"johndoe,o=x.com,dc=x,dc=com" as the search term? If that is the case,
then you could sanitize the input using something like this:
if( searchTerm.contains(",") )
searchTerm = searchTerm.substring(0,searchTerm.indexOf(","));
Or you could simply sanitize the user input by checking for various
characters (& | ! , etc.) and rejecting the input if one of these is
found in the string.
I'm not much of a Java programmer, so there is probably a better way,
but I hope this helps.
- Dave
--
Dave Parker
Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177