ansaurus

Question

How to escape a string in C#, for use in an LDAP query

Answer 1

+2 A:

Maybe let somebody else worry about it? See LINQtoAD.

Dan 2009-03-16 03:27:03

That seems like overkill for just escaping a string?

Sophia 2009-03-16 04:54:24

I think he's saying that LINQtoAD would be a better way to query AD overall. Just like you _could_ write straight SQL queries and then pull a dataset... but LINQtoSQL makes everything so much easier...

Telos 2009-03-16 05:20:58

Oh, I see. I already have the query to AD working with just two lines (using System.DirectoryServices methods), so I don't really need it - I'm not using AD anywhere else in my project.

Sophia 2009-03-16 05:42:49

@Telos: exactly my point. As this question shows, strings aren't very typesafe.

Dan 2009-03-16 13:40:12

Answer 2

+2 A:

Are you trying to prevent some sort of injection attack against your directory server via user input? If that is the case I would just validate the input with Regex before passing it to LDAP.

Jason Jackson 2009-03-16 03:28:33

The username and domain name shouldn't have any of the characters that need to be escaped in the first place: , \ # + < > ; " =

UncleO 2009-03-16 05:35:03

"If any of the following special characters must appear in the search filter as literals, they must be replaced by the listed escape sequence." http://msdn.microsoft.com/en-us/library/aa746475.aspx

Sophia 2009-03-16 06:04:25

Answer 3

+1 A:

I found a solution here, in a blog post about LDAP Injection

This solution involves adding your own function to escape the username and domain name, his solution is in Java, but the idea is there.

Also MSDN lists which special characters need to be replaced by escape sequences.

As far as I can tell there doesn't seem to be any method for escaping LDAP strings in System.DirectoryServices (like there is in HttpServerUtility for URLs etc)

Sophia 2009-03-16 05:50:28

Answer 4

+6 A:

The following is my translation from the Java code mentioned by Sophia into C#.

/// <summary>
/// Escapes the LDAP search filter to prevent LDAP injection attacks.
/// </summary>
/// <param name="searchFilter">The search filter.</param>
/// <see cref="http://blogs.sun.com/shankar/entry/what_is_ldap_injection" />
/// <see cref="http://msdn.microsoft.com/en-us/library/aa746475.aspx" />
/// <returns>The escaped search filter.</returns>
private static string EscapeLdapSearchFilter(string searchFilter)
{
    StringBuilder escape = new StringBuilder(); // If using JDK >= 1.5 consider using StringBuilder
    for (int i = 0; i < searchFilter.Length; ++i)
    {
        char current = searchFilter[i];
        switch (current)
        {
            case '\\':
                escape.Append(@"\5c");
                break;
            case '*':
                escape.Append(@"\2a");
                break;
            case '(':
                escape.Append(@"\28");
                break;
            case ')':
                escape.Append(@"\29");
                break;
            case '\u0000':
                escape.Append(@"\00");
                break;
            case '/':
                escape.Append(@"\2f");
                break;
            default:
                escape.Append(current);
                break;
        }
    }

    return escape.ToString();
}

Li Huan 2009-03-29 16:37:37

ansaurus

tags:

views:

answers:

How to escape a string in C#, for use in an LDAP query

related questions