I'm probably just being paranoid again about security. The latest thing keeping me up at night is the checks that one of our websites uses. It runs ColdFusion 9 on windows environment and we check a user input by isNumeric to verify that a string or input it is indeed a number. If it isn't a number stop execution and show message to user, else do what needs to be done normally. My question is, is there a way to break this check? Basically some kind of format that isNumeric will report as a number but can actually include something bad?
<cfparam name="userInput" default="0">
<cfif isNumeric(userInput)>
// Should be a number id 500
// Use value to do SQL stuff because should be number
// I know, not the best practice. Plan to fix all of these but the
// amount of code is staggering to fix all of these. Figured
// start with one thing then move on
<cfquery>
SELECT * FROM db WHERE serial = #userInput#
</cfquery>
<cfelse>
// Not a number ie '500sws'
</cfif>
Is there something that can be passed into userInput that can fool it to report true but actually not be?
Reason why I'm asking is cause this site is old. Things are out dated. I'm in process of working my way through a really large amount of code and there are points of vulnerability that I will be fixing as I go but if isNumeric can be fooled, then I have more work to do.
Not sure if I'm explaining it right. Let me know if there needs to be clarification.
If this need to be moved else where let me know. Thanks everyone.
