i just started typing this code:
ldap_simple_bind_s ("uid="+victim+",ou=People,dc=mine", pass);
(it is C, the + is just for simplification)
i think this is a security problem, as the user can type the "victim" in an edit field. for example he can do:
victim="paul,foo=bar,i=you,he=she"
and creates effects not intended by the programmer.
Every application is responsible for validating its input according to local definitions and security policy.
i don't find a ldap_escape_string function.
Just calling an escape function is not a substitution for checking input.
This is not specific to OpenLDAP though...
Ciao, Michael.