Good Habits Part II-b: Output Filtering LDAP

I did some research before this one, and it's sad that there seems to be so little support in built-in libraries for dealing with output filtering (er - rather "parameterized LDAP queries").

LDAP searches are every bit as susceptible to injection flaws as any other presentation engine. Fortunately, Java provides a parameterized search method. Unfortunately, I can't seem to find an equivalent in other API's.

In Java, rather than simply building the query by concatenating user input, a la:
qry = "(cn=" + strName + ")";
Where strName is injectable (user can include * to return all names, a bad thing, or use parenthesis to close the query, or include other attributes in the search), a better approach is to do something like the following:
qry = "(cn={0})";
result = ctx.search(root, qry, new String[] {strName}, ctls);
With that, strName is properly escaped before being injected into the query.

I looked for how to do this in Perl's Net::LDAP, the OpenLDAP C libraries, PHP, and Ruby, and they all seem to require the developer to do the encoding. The search filter RFC only seems to indicate that *, ), (, \, and need to be encoded, using a backslash followed by the hex of the ASCII value of the character, which would seem to be enough. However, you need to be very careful of what character encoding you're expecting your input in, and any escapes that might be taking place there.

So in Java, do your self a favor and use the search() that takes an Object[] as one of the parameters. In other languages, be very careful on output filtering.