Le 5/30/12 10:08 PM, David Parker a écrit :
On 05/30/2012 12:55 PM, Hendy Irawan wrote:
Dear Apache Directory users,
How do I escape an LDAP filter query ?
e.g.
String searchTerm = ...; // from user input
String filter = "(&(objectclass=person)(cn=*" +
escapeFunction(searchTerm)
+ "*))";
What is this escapeFunction ?
Hello,
What exactly do you want to escape in searchTerm? Are you trying to
prevent someone from entering something like
"johndoe,o=x.com,dc=x,dc=com" as the search term? If that is the
case, then you could sanitize the input using something like this:
if( searchTerm.contains(",") )
searchTerm = searchTerm.substring(0,searchTerm.indexOf(","));
Or you could simply sanitize the user input by checking for various
characters (& | ! , etc.) and rejecting the input if one of these is
found in the string.
I'm not much of a Java programmer, so there is probably a better way,
but I hope this helps.
- Dave
I guess expect something like a Filter.escape( String ) method that
creates a filter with escaped chars.
So if you call Filter.escape( "(myAttr=I'm a \u002a)" ), it will return
the escaped string "(myAttr=I'm a \\2A)"
Filter special chars in values are :
'*' translates to \2A
'(' translates to \28
')' translates to \29
'\' translates to \5C
0x00 translates to \00
Note that you still have to provide a String that distinguishes those 5
characters, so at some point, it's probably enough to do the escaping by
hand. The method I described would just be a bit superfluous...
Also note that no other character needs to be escaped but those 5 ones.
There is no risk that a &, | or ! can be confused with an operator in a
value.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
