LDAP Injection

LDAP injection is a security vulnerability that occurs when untrusted user input is incorporated into an LDAP query without proper sanitisation or escaping. An attacker can manipulate the LDAP filter or distinguished name (DN) to bypass authentication, escalate privileges, or extract sensitive directory information.

LDAP filters use special characters such as *, (, ), \, and NUL. Injecting these characters can alter the logic of a filter. For example, inserting * as a username may cause a wildcard match that returns all users.

Mitigation strategies include:

  • Escaping special characters with ldap_escape() (available since PHP 5.6)

  • Using allowlists to validate input before use in a query

  • Applying the principle of least privilege on the LDAP service account

<?php

$username = $_POST['username'] ?? '';

// Vulnerable: attacker can inject LDAP metacharacters
$filter = '(uid=' . $username . ')';

// Safe: use ldap_escape() with LDAP_ESCAPE_FILTER
$safe   = ldap_escape($username, '', LDAP_ESCAPE_FILTER);
$filter = '(uid=' . $safe . ')';

$result = ldap_search($conn, 'ou=People,dc=example,dc=com', $filter);

?>

Documentation

See also LDAP Injection Prevention Cheat Sheet — OWASP and ldap_escape() — PHP Manual.

Related : Lightweight Directory Access Protocol (LDAP), Injection, SQL Injection, Escape Data, Taint Analysis, Static Application Security Testing (SAST), Security