如何在 C# 中转义字符串,以用于 LDAP 查询
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/649149/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to escape a string in C#, for use in an LDAP query
提问by Sophia
I have an LDAP query, which I am using to perform a search in C#. It uses two string variables (username and domain) which need to be escaped for security reasons.
我有一个 LDAP 查询,用于在 C# 中执行搜索。它使用两个字符串变量(用户名和域),出于安全原因需要对其进行转义。
How should I escape the strings? Is there a function available in C#.NET to do this?
我应该如何转义字符串?C#.NET 中是否有可用的函数来执行此操作?
Example LDAP search conditions :
LDAP 搜索条件示例:
(objectCategory=person)
(userprincipalname=username@domain*)
(samaccountname=username)
Example LDAP query string in C# :
C# 中的 LDAP 查询字符串示例:
string search = "(&(&(objectCategory=person)(userprincipalname="
+ username
+ "@"
+ domain
+ "*)(samaccountname="
+ username
+ ")))";
Edit: I already have the LDAP query working, and returning results. All I want is to escape the parameters.
编辑:我已经有 LDAP 查询工作,并返回结果。我想要的只是转义参数。
采纳答案by Jeow Li Huan
The following is my translation from the Java code mentioned by Sophia into C#.
下面是我把Sophia提到的Java代码翻译成C#。
/// <summary>
/// Escapes the LDAP search filter to prevent LDAP injection attacks.
/// </summary>
/// <param name="searchFilter">The search filter.</param>
/// <see cref="https://blogs.oracle.com/shankar/entry/what_is_ldap_injection" />
/// <see cref="http://msdn.microsoft.com/en-us/library/aa746475.aspx" />
/// <returns>The escaped search filter.</returns>
private static string EscapeLdapSearchFilter(string searchFilter)
{
StringBuilder escape = new StringBuilder(); // If using JDK >= 1.5 consider using StringBuilder
for (int i = 0; i < searchFilter.Length; ++i)
{
char current = searchFilter[i];
switch (current)
{
case '\':
escape.Append(@"c");
break;
case '*':
escape.Append(@"a");
break;
case '(':
escape.Append(@"");
break;
case ')':
escape.Append(@"");
break;
case '\u0000':
escape.Append(@"string encoded = Microsoft.Security.Application.Encoder.LdapFilterEncode(input);
");
break;
case '/':
escape.Append(@"f");
break;
default:
escape.Append(current);
break;
}
}
return escape.ToString();
}
回答by Jason Hymanson
Are you trying to prevent some sort of injection attack against your directory server via user input? If that is the case I would just validate the input with Regex before passing it to LDAP.
您是否试图通过用户输入来防止对您的目录服务器进行某种注入攻击?如果是这种情况,我只会在将输入传递给 LDAP 之前使用 Regex 验证输入。
回答by Sophia
I found a solution here, in a blog post about LDAP Injection
我在这里找到了一个解决方案,在一篇关于 LDAP 注入的博客文章中
This solution involves adding your own function to escape the username and domain name, his solution is in Java, but the idea is there.
这个解决方案涉及添加您自己的函数来转义用户名和域名,他的解决方案是在Java中,但想法就在那里。
Also MSDNlists which special characters need to be replaced by escape sequences.
MSDN还列出了哪些特殊字符需要用转义序列替换。
As far as I can tell there doesn't seem to be any method for escaping LDAP strings in System.DirectoryServices (like there is in HttpServerUtility for URLs etc)
据我所知,似乎没有任何方法可以在 System.DirectoryServices 中转义 LDAP 字符串(就像 HttpServerUtility 中的 URL 等)
回答by Sean Hall
Use PInvoke with DsQuoteRdnValueW. For code, see my answer to another question: https://stackoverflow.com/a/11091804/628981
将 PInvoke 与DsQuoteRdnValueW. 对于代码,请参阅我对另一个问题的回答:https: //stackoverflow.com/a/11091804/628981
回答by opis-kladno
Use AntiXss library from address: https://www.nuget.org/packages/AntiXss
使用来自地址的 AntiXss 库:https://www.nuget.org/packages/AntiXss
##代码##