Is escaping advisable when setting a value for an attribute?

[andsal]

Hello,
I was wondering if, in order to avoid injection attacks, it is required/advisable to escape values before assign them to an attribute (eg. by means of the Model::setAttribute() method).
The documentation explains that keys and values of queries are automatically escaped, but I found no references about setting values. Is value escaping also performed by setters or let to the user? In the latter case, should I use the EscapesValues::escape() method?
Thanks in advance!

[stevebauman]

Hey @andsal,

It's not possible to escape LDAP attributes in LdapRecord. LdapRecord uses PHP's standard ldap_* methods when performing creates and updates. Attributes will always be sent in a structured format as strings to your LDAP server. Ex:

$changes = [
    [
        "attrib"  => "telephoneNumber",
        "modtype" => LDAP_MODIFY_BATCH_ADD,
        "values"  => ["+1 555 555 1717"], // Value cannot be escaped, its passed as its true PHP value.
    ],
];

ldap_modify_batch($connection, $dn, $modifs);

This is different for LDAP search filters. Input supplied in LDAP search filters must always be escaped, as search filters are constructed similarly to SQL queries, in the sense that the string contains logic for filtering LDAP results. Ex:

Without Escaping:

// User-supplied input:
// $username = $_GET['username']; 

// Ex:
$username = "*";

// "(uid=*)"
$query = "(uid=$username)";

// Search returns all users due to wildcard:
$result = ldap_search($ldap_connection, $base_dn, $query);

With Escaping:

// "\2a"
$username =  ldap_escape("*");

// "(uid=\2a)"
$query = "(uid=$username)";

// Search returns user with UID literal "*":
$result = ldap_search($ldap_connection, $base_dn, $query);

Hope this clears things up for you. Let me know if you have any further questions 👍