Use of Wrong Operator in String ComparisonID: 597 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
The product uses the wrong operator when comparing a string,
such as using "==" when the equals() method should be used
instead.
Extended DescriptionIn Java, using == or != to compare two strings for equality actually
compares two objects for equality, not their values. Chances are good that
the two references will never be equal. While this weakness often only
affects program correctness, if the equality is used for a security
decision, it could be leveraged to affect program security.
Applicable PlatformsNone
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
Other | Other | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Use equals() to compare strings. | High | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-597 ChildOf CWE-885 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the example below, two Java String objects are declared and
initialized with the same string values and an if statement is used to
determine if the strings are equivalent. (Demonstrative Example Id DX-60)
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CERT Java Secure Coding | EXP03-J | Do not use the equality operators when comparing values of
boxed primitives | |
CERT Java Secure Coding | EXP03-J | Do not use the equality operators when comparing values of
boxed primitives | |
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 6, "Typos", Page 289.'. Published on 2006.