{
    "slug": "ldap_injection",
    "term": "LDAP Injection",
    "category": "security",
    "difficulty": "intermediate",
    "short": "Unsanitised input manipulates LDAP query filters, bypassing authentication or exposing directory data.",
    "long": "LDAP injection is analogous to SQL injection but targets Lightweight Directory Access Protocol queries. If user-supplied values are concatenated directly into an LDAP filter string, an attacker can alter the query logic — for example, injecting *)(&) to match all entries or bypass authentication checks. PHP applications using ldap_search() must escape special characters with ldap_escape() before building filter strings.",
    "aliases": [
        "LDAP attack",
        "directory injection"
    ],
    "tags": [
        "injection",
        "authentication",
        "cwe-90"
    ],
    "misconception": "LDAP injection is rare and low impact. A successful injection can bypass authentication entirely by manipulating filter logic, enumerate directory users, and extract sensitive attributes like group memberships and email addresses.",
    "why_it_matters": "Unsanitised input in LDAP filters can bypass authentication, enumerate directory entries, or extract sensitive attributes from the directory.",
    "common_mistakes": [
        "Concatenating user input into LDAP filter strings without using ldap_escape().",
        "Not specifying LDAP_ESCAPE_FILTER or LDAP_ESCAPE_DN context in ldap_escape() calls.",
        "Binding to LDAP with an admin account for all operations instead of a restricted read-only account.",
        "Believing that LDAP is only used for authentication and therefore less exploitable than SQL databases."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "sql_injection",
        "input_validation"
    ],
    "prerequisites": [
        "sql_injection",
        "input_validation",
        "allowlist_vs_blocklist"
    ],
    "refs": [
        "https://owasp.org/www-community/attacks/LDAP_Injection",
        "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html"
    ],
    "bad_code": "$filter = \"(uid=$username)\"; ldap_search($conn, $base, $filter);",
    "good_code": "$safe = ldap_escape($username, '', LDAP_ESCAPE_FILTER); ldap_search($conn, $base, \"(uid=$safe)\");",
    "quick_fix": "Use ldap_escape() with LDAP_ESCAPE_FILTER for search filters and LDAP_ESCAPE_DN for distinguished names — these escape the special characters that make LDAP injection possible",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/ldap_injection",
        "html_url": "https://codeclaritylab.com/glossary/ldap_injection",
        "json_url": "https://codeclaritylab.com/glossary/ldap_injection.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[LDAP Injection](https://codeclaritylab.com/glossary/ldap_injection) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/ldap_injection"
            }
        }
    }
}