[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96125

 
 

909

 
 

78020

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Use of Wrong Operator in String Comparison

ID: 597Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: DRAFT
Abstraction Type: Variant





Description

The product uses the wrong operator when comparing a string, such as using "==" when the equals() method should be used instead.

Extended Description

In Java, using == or != to compare two strings for equality actually compares two objects for equality, not their values. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, it could be leveraged to affect program security.

Applicable Platforms
None

Time Of Introduction

  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Other
 
Other
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Use equals() to compare strings.
 
High
 
 

Relationships

Related CWETypeViewChain
CWE-597 ChildOf CWE-885 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the example below, two Java String objects are declared and initialized with the same string values and an if statement is used to determine if the strings are equivalent. (Demonstrative Example Id DX-60)

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
CERT Java Secure Coding EXP03-J
 
Do not use the equality operators when comparing values of boxed primitives
 
 
CERT Java Secure Coding EXP03-J
 
Do not use the equality operators when comparing values of boxed primitives
 
 

References:

  1. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 6, "Typos", Page 289.'. Published on 2006.

© 2013 SecPod Technologies