== How to fix it in Core PHP

=== Code examples

The following noncompliant code is vulnerable to LDAP injection because untrusted data is
concatenated to an LDAP query without prior sanitization or validation.

==== Noncompliant code example

[source,php,diff-id=1,diff-type=noncompliant]
----
$ldapconn = ldap_connect("localhost");

if($ldapconn){
  $user = $_GET["user"];

  $filter = "(&(objectClass=user)(uid=" . $user . "))";
  $dn = "dc=example,dc=org";

  ldap_list($ldapconn, $dn, $filter); // Noncompliant
}
----

==== Compliant solution

[source,php,diff-id=1,diff-type=compliant]
----
$ldapconn = ldap_connect("localhost");

if($ldapconn){
  $user = $ldap_escape($_GET["user"], "", LDAP_ESCAPE_FILTER);
  
  $filter = "(&(objectClass=user)(uid=" . $user . "))";
  $dn = "dc=example,dc=org";
  
  ldap_list($ldapconn, $dn, $filter);
}
----

=== How does this work?

include::../../common/fix/validation.adoc[]

For PHP, the core library function
https://www.php.net/manual/en/function.ldap-escape.php[`ldap_escape`] allows sanitizing these characters.

In the compliant solution example, the `ldap_escape` function is used with the
`LDAP_ESCAPE_FILTER` flag, which sanitizes potentially malicious characters in the search filter.
The function can also be used with the `LDAP_ESCAPE_DN` flag, which sanitizes
the distinguished name (DN).