LDAP Injection¶
LDAP injection is a security vulnerability that occurs when untrusted user input is incorporated into an LDAP query without proper sanitisation or escaping. An attacker can manipulate the LDAP filter or distinguished name (DN) to bypass authentication, escalate privileges, or extract sensitive directory information.
LDAP filters use special characters such as *, (, ), \, and NUL. Injecting these characters can alter the logic of a filter. For example, inserting * as a username may cause a wildcard match that returns all users.
Mitigation strategies include:
Escaping special characters with
ldap_escape()(available since PHP 5.6)Using allowlists to validate input before use in a query
Applying the principle of least privilege on the LDAP service account
<?php
$username = $_POST['username'] ?? '';
// Vulnerable: attacker can inject LDAP metacharacters
$filter = '(uid=' . $username . ')';
// Safe: use ldap_escape() with LDAP_ESCAPE_FILTER
$safe = ldap_escape($username, '', LDAP_ESCAPE_FILTER);
$filter = '(uid=' . $safe . ')';
$result = ldap_search($conn, 'ou=People,dc=example,dc=com', $filter);
?>
See also LDAP Injection Prevention Cheat Sheet — OWASP and ldap_escape() — PHP Manual.
Related : Lightweight Directory Access Protocol (LDAP), Injection, SQL Injection, Escape Data, Taint Analysis, Static Application Security Testing (SAST), Security