CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

LDAP Injection

security CWE-90 OWASP A3:2021 CVSS 7.5 PHP 5.6+ Intermediate

Also Known As

LDAP attack directory injection

TL;DR

Unsanitised input manipulates LDAP query filters, bypassing authentication or exposing directory data.

Explanation

LDAP injection is analogous to SQL injection but targets Lightweight Directory Access Protocol queries. If user-supplied values are concatenated directly into an LDAP filter string, an attacker can alter the query logic — for example, injecting *)(&) to match all entries or bypass authentication checks. PHP applications using ldap_search() must escape special characters with ldap_escape() before building filter strings.

How It's Exploited

An attacker submits the username *)(uid=*))(|(uid=* into a login form. If the application builds the filter as (uid=<input>), the injected string collapses into a filter that always matches, granting access without a valid password.

Common Misconception

LDAP injection is rare and low impact. A successful injection can bypass authentication entirely by manipulating filter logic, enumerate directory users, and extract sensitive attributes like group memberships and email addresses.

Why It Matters

Unsanitised input in LDAP filters can bypass authentication, enumerate directory entries, or extract sensitive attributes from the directory.

Common Mistakes

  • Concatenating user input into LDAP filter strings without using ldap_escape().
  • Not specifying LDAP_ESCAPE_FILTER or LDAP_ESCAPE_DN context in ldap_escape() calls.
  • Binding to LDAP with an admin account for all operations instead of a restricted read-only account.
  • Believing that LDAP is only used for authentication and therefore less exploitable than SQL databases.

Code Examples

✗ Vulnerable 
$filter = "(uid=$username)"; ldap_search($conn, $base, $filter);
✓ Fixed 
$safe = ldap_escape($username, '', LDAP_ESCAPE_FILTER); ldap_search($conn, $base, "(uid=$safe)");
Added 15 Mar 2026
Edited 22 Mar 2026
Views 29

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 0 pings S 1 ping M 0 pings T 1 ping W 0 pings T 6 pings F 0 pings S 0 pings S 0 pings M 2 pings T 1 ping W 0 pings T 2 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
ChatGPT 11 Amazonbot 6 Perplexity 4 Google 3 Majestic 1 Ahrefs 1 SEMrush 1
Also referenced
Input Validation vs Output Encoding 32 SQL Injection 28
How they use it
crawler 24 crawler_json 3
Related categories
security 4k general 1.4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Use ldap_escape() with LDAP_ESCAPE_FILTER for search filters and LDAP_ESCAPE_DN for distinguished names — these escape the special characters that make LDAP injection possible
📦 Applies To
PHP 5.6+ web cli
🔗 Prerequisites
🔍 Detection Hints
LDAP filter with user input not escaped via ldap_escape(); string concatenation building LDAP filter or DN
Auto-detectable: ✓ Yes semgrep psalm
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-90
✓ schema.org compliant