better LDAP filter escaping

author Andreas Gohr <gohr@cosmocode.de>

Wed, 13 Jun 2007 14:43:10 +0000 (16:43 +0200)

committer Andreas Gohr <gohr@cosmocode.de>

Wed, 13 Jun 2007 14:43:10 +0000 (16:43 +0200)
author Andreas Gohr <gohr@cosmocode.de>
Wed, 13 Jun 2007 14:43:10 +0000 (16:43 +0200)
committer Andreas Gohr <gohr@cosmocode.de>
Wed, 13 Jun 2007 14:43:10 +0000 (16:43 +0200)
diff --git a/functions.php b/functions.php

index 671fca402a873b55017460f1544669b31bdb898b..9166d31ca0c5e9f77ead7d923a32e21ce2ae7029 100644 (file)
--- a/functions.php
+++ b/functions.php
@@ -348,10 +348,16 @@ function ldap_store_objectclasses($dn,$classes){
  }
  
  /**
- * escape parenthesises in given string
+ * Escape a string to be used in a LDAP filter
+ *
+ * Ported from Perl's Net::LDAP::Util escape_filter_value
+ *
+ * @author Andreas Gohr <andi@splitbrain.org>
   */
  function ldap_filterescape($string){
-  return strtr($string,array('('=>'\(', ')'=>'\)'));
+  return preg_replace('/([\x00-\x1F\*\(\)\\\\])/e',
+                            '"\\\\\".join("",unpack("H2","$1"))',
+                            $string);
  }
  
  /**
diff --git a/index.php b/index.php

index 01eeb47de25cf70c1c2ac6ad742709ecaa5f25be..857e69e3ac654b85a4e4d0358a36cad6bb42413d 100644 (file)
--- a/index.php
+++ b/index.php
@@ -139,7 +139,7 @@
          $other .= '(!('.$FIELDS['name'].'='.chr($i).'*))';
        }
        $ldapfilter = "(&(objectClass=inetOrgPerson)$other)";
-    }elseif($filter=='*'){
+    }elseif($filter=='\2a'){ //escaped asterisk
        // List all
        $ldapfilter = "(objectClass=inetOrgPerson)";
      }else{
author	Andreas Gohr <gohr@cosmocode.de>
	Wed, 13 Jun 2007 14:43:10 +0000 (16:43 +0200)
committer	Andreas Gohr <gohr@cosmocode.de>
	Wed, 13 Jun 2007 14:43:10 +0000 (16:43 +0200)
functions.php		patch \| blob \| history
index.php		patch \| blob \| history