|
From: Neil A. W. <nei...@un...> - 2010-12-17 08:54:23
|
On 12/17/2010 02:11 AM, Vladimir Dzhuvinov wrote:
> Hi Neal,
>
> I've got couple of apps where I escape special chars from user input
> that goes into search filter templates. I wrote my own code for this
> task, but then I thought, wouldn't be good to have this provided by
> the SDK?
>
> Something in the spirit of the private Filter.encodeValue(value,
> buffer), but with a signature like
>
> public static String encodeValue(String value)
The LDAP SDK already has this capability. For example, if you want to
create a filter like "(uid={username})", where "{username}" is some
value provided by a user, then you would use:
Filter.createEqualityFilter("uid", username)
This is much better than trying to do something like:
Filter.create("(uid=" + username + ")")
because creating a filter from only the string representation leaves you
open to the LDAP equivalent of SQL injection attacks, which could try to
trick the server into exposing more data than is intended.
There also already was a private encodeValue method used internally
within the class for creating the string representation. The private
version probably isn't ideal for use by third-party code, but I can
expose a couple of more user-friendly public versions.
Note that the string representation isn't the same as the LDAP
representation, so when a filter is transferred over the network, no
special escaping is required. It's only when you have to represent the
filter as a string that special handling is needed for characters like
parentheses, asterisk, backslash, and the null character, as well as for
non-ASCII characters.
> Regards,
>
> Vladimir
>
>
> PS: For some reason I cannot subscribe to this list, when I try to
> register using the form at
> https://lists.sourceforge.net/lists/listinfo/ldap-sdk-discuss I never
> get a confirmation email.
I don't know why that would happen. I have manually subscribed you to
the list, so it shouldn't be an issue any more, but let me know if you
have any further problems.
Neil
|