Is it safe to pass "raw" search filters to ldap_search() function?

Question

I'm writing a PHP application that manages some LDAP entries. I have one page that shows entries from a given branch and filtering on some objectClasses (only to certain authorized users, etc. etc.).

I was wondering if it is safe to pass 'raw' url-defined filters to the ldap_search() function, or this could bring to security issues of any kind.

The filter that will be set will then be something like:

"(&(&(objectClass=myClass1)(objectClass=myClass2))". $_GET['filter'] .")"

Of course, I will never write something like this in SQL, but using LDAP functions? I don't see any possible risk of doing this, am I wrong?

NOTE: I don't care about things like wrong filters syntax, etc. since I'm doing escaping somewhere else, while generating the URL. In case of hand-defined filters with errors, It is ok to show an error to the user.

Answer 1

Unlike SQL queries, LDAP search queries do not do updates, thus it's very unlikely they're be able to change anything. Also it's highly unlikely they'll be able to get around permissions, as permissions are based on the connected DN and NOT the search query.

I worked with LDAP for about 3 years and never worried about this, but of course I didn't tell the users what type of db they were interacting with.

IMO it's fine to do it like this.