[Date Prev][Date Next]
Re: escaping strings in DN
Erik Thiele wrote:
i just started typing this code:
ldap_simple_bind_s ("uid="+victim+",ou=People,dc=mine", pass);
(it is C, the + is just for simplification)
i think this is a security problem, as the user can type the "victim" in
an edit field. for example he can do:
and creates effects not intended by the programmer.
Every application is responsible for validating its input according to local
definitions and security policy.
i don't find a
Just calling an escape function is not a substitution for checking input.
This is not specific to OpenLDAP though...