javascript python java c# php android html jquery c++ css ios mysql sql r node.js arrays reactjs c asp.net json ruby-on-rails .net sql-server swift python-3.x objective-c django angular angularjs excel regex pandas ruby iphone ajax linux xml vba asp.net-mvc spring laravel database wordpress typescript string wpf mongodb windows xcode postgresql bash oracle git vb.net amazon-web-services multithreading list firebase flutter eclipse spring-boot dataframe azure react-native algorithm docker macos forms image visual-studio scala powershell function twitter-bootstrap numpy api performance selenium winforms python-2.7 matlab vue.js sqlite apache hibernate entity-framework loops rest shell facebook express android-studio csv linq maven qt swing unit-testing file tensorflow

[ACCEPTED]-How to escape a string in C#, for use in an LDAP query-ldap-query

Accepted answer
Score: 33

The following is my translation from the 1 Java code mentioned by Sophia into C#.

/// <summary>
/// Escapes the LDAP search filter to prevent LDAP injection attacks.
/// </summary>
/// <param name="searchFilter">The search filter.</param>
/// <see cref="https://blogs.oracle.com/shankar/entry/what_is_ldap_injection" />
/// <see cref="http://msdn.microsoft.com/en-us/library/aa746475.aspx" />
/// <returns>The escaped search filter.</returns>
private static string EscapeLdapSearchFilter(string searchFilter)
{
    StringBuilder escape = new StringBuilder(); // If using JDK >= 1.5 consider using StringBuilder
    for (int i = 0; i < searchFilter.Length; ++i)
    {
        char current = searchFilter[i];
        switch (current)
        {
            case '\\':
                escape.Append(@"\5c");
                break;
            case '*':
                escape.Append(@"\2a");
                break;
            case '(':
                escape.Append(@"\28");
                break;
            case ')':
                escape.Append(@"\29");
                break;
            case '\u0000':
                escape.Append(@"\00");
                break;
            case '/':
                escape.Append(@"\2f");
                break;
            default:
                escape.Append(current);
                break;
        }
    }

    return escape.ToString();
}
Score: 6

I found a solution here, in a blog post about LDAP Injection

This solution 9 involves adding your own function to escape 8 the username and domain name, his solution 7 is in Java, but the idea is there.

Also MSDN lists 6 which special characters need to be replaced 5 by escape sequences.

As far as I can tell 4 there doesn't seem to be any method for 3 escaping LDAP strings in System.DirectoryServices 2 (like there is in HttpServerUtility for 1 URLs etc)

Score: 4

Use AntiXss library from address: https://www.nuget.org/packages/AntiXss 

string encoded = Microsoft.Security.Application.Encoder.LdapFilterEncode(input);

0

Score: 2

Maybe let somebody else worry about it? See 1 LINQtoAD.

Score: 2

Are you trying to prevent some sort of injection 4 attack against your directory server via 3 user input? If that is the case I would 2 just validate the input with Regex before 1 passing it to LDAP.

Score: 0

Use PInvoke with DsQuoteRdnValueW. For code, see my answer 1 to another question: https://stackoverflow.com/a/11091804/628981

Source: stackoverflow.com

More Related questions

Spring's LdapTemplate search: PartialResultException: Unprocessed Continuation Reference(s); remaining name '/'

case insensitive LDAP searches

Query From LDAP for User Groups

: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1 ]

Unattended install of krb5-user on Ubuntu 16.04

ldap search is very slow

Disabling SSL Certificate Validation for Active Directory server using spring-ldap 1.3.1

What is the LDAP filter string length limit in Active Directory?

How to add a new group in Active Directory using LDAP in C#

shell script containing ldapmodify - hardcoding commands