Preventing LDAP Injection in Java

Performing LDAP queries requires correctly escaping certain meta-characters. Both the distinguished name (DN) and the search filter have their own sets of meta-characters. In the case of Java, it is also necessary to escape any JNDI meta-characters, since java uses JNDI to perform LDAP queries. The examples below present Java methods that could be used to perform this escaping:

Note: This is untested code --Stephendv 05:08, 10 July 2006 (EDT) public String escapeDN (String name) { //From RFC 2253 and the / character for JNDI final char[] META_CHARS = {'+', '"', '<', '>', ';', '/'};       String escapedStr = new String(name);        //Backslash is both a Java and an LDAP escape character, so escape it first        escapedStr = escapedStr.replaceAll("\\\\","\\\\");        //Positional characters - see RFC 2253        escapedStr = escapedStr.replaceAll("^#","\\\\#");        escapedStr = escapedStr.replaceAll("^ | $","\\\\ ");        for (int i=0;i < META_CHARS.length;i++) {            escapedStr = escapedStr.replaceAll("\\"+META_CHARS[i],"\\\\" + META_CHARS[i]);        }        return escapedStr;    }

Note, that the backslash character is a Java String literal and a regular expression escape character. public String escapeSearchFilter (String filter) { //From RFC 2254 String escapedStr = new String(filter); escapedStr = escapedStr.replaceAll("\\\\","\\\\5c"); escapedStr = escapedStr.replaceAll("\\*","\\\\2a"); escapedStr = escapedStr.replaceAll("\\(","\\\\28");       escapedStr = escapedStr.replaceAll("\\)","\\\\29"); escapedStr = escapedStr.replaceAll("\\"+Character.toString('\u0000'), "\\\\00"); return escapedStr; }