Menu
I have an LDAP query, which I am using to perform a search in C#. It uses two string variables (username and domain) which need to be escaped for security reasons.
How should I escape the strings? Is there a function available in C#.NET to do this?
Example LDAP search conditions :
(objectCategory=person)
(userprincipalname=username@domain*)
(samaccountname=username)
Example LDAP query string in C# :
string search = "(&(&(objectCategory=person)(userprincipalname="
+ username
+ "@"
+ domain
+ "*)(samaccountname="
+ username
+ ")))";
Edit: I already have the LDAP query working, and returning results. All I want is to escape the parameters.
909
In the platform, the backslash character ( \ ) is used to escape values within strings. The character following the escaping character is treated as a string literal.
It is an ascii character and can be used anywhere. \a Is used to display a sound.
"; C# includes escaping character \ (backslash) before these special characters to include in a string. Use backslash \ before double quotes and some special characters such as \,\n,\r,\t, etc. to include it in a string.
The following is my translation from the Java code mentioned by Sophia into C#.
/// <summary>
/// Escapes the LDAP search filter to prevent LDAP injection attacks.
/// </summary>
/// <param name="searchFilter">The search filter.</param>
/// <see cref="https://blogs.oracle.com/shankar/entry/what_is_ldap_injection" />
/// <see cref="http://msdn.microsoft.com/en-us/library/aa746475.aspx" />
/// <returns>The escaped search filter.</returns>
private static string EscapeLdapSearchFilter(string searchFilter)
{
StringBuilder escape = new StringBuilder(); // If using JDK >= 1.5 consider using StringBuilder
for (int i = 0; i < searchFilter.Length; ++i)
{
char current = searchFilter[i];
switch (current)
{
case '\\':
escape.Append(@"\5c");
break;
case '*':
escape.Append(@"\2a");
break;
case '(':
escape.Append(@"\28");
break;
case ')':
escape.Append(@"\29");
break;
case '\u0000':
escape.Append(@"\00");
break;
case '/':
escape.Append(@"\2f");
break;
default:
escape.Append(current);
break;
}
}
return escape.ToString();
}
I found a solution here, in a blog post about LDAP Injection
This solution involves adding your own function to escape the username and domain name, his solution is in Java, but the idea is there.
Also MSDN lists which special characters need to be replaced by escape sequences.
As far as I can tell there doesn't seem to be any method for escaping LDAP strings in System.DirectoryServices (like there is in HttpServerUtility for URLs etc)
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
