LDAP Search Filters Using with non-standard Characters


RFC 4511 describes Lightweight Directory Access Protocol (LDAP) The Protocol and clearly shows the SearchRequest LDAP SearchFilter is to be, as with all data sent to the DSA, " be encoded for exchange using the Basic Encoding Rules BER of ASN.1 with" a few restrictions.

So even though "Some applications may find it useful to have a common way of representing these search filters in a human-readable form.", the DUA (LDAP Client) is responsible to perform the encoding as described in Lightweight Directory Access Protocol (LDAP) The Protocol (RFC 4511).

Our Recommendation#

The best way to create any kind of filter in an LDAP-enabled application is to use the Filter.create* methods (from the UnboundID LDAP SDK For Java) instead of trying to construct a filter yourself using the LDAP String Representation of Search Filters.

This is true for two reasons:

  • The UnboundID LDAP SDK For Java will always perform the appropriate escaping for any special characters contained in the assertion value.
    This can help thwart attacks from clients trying to use the LDAP equivalent of an SQL injection (e.g., by trying to trick the application into performing a substring or presence search when the intent was to perform an equality search).
  • It is faster. The LDAP SDK doesn't have to parse the string representation in order to get the components to use in the binary encoding.

More Information#

There might be more information for this subject on one of the following: