Use of Wrong Operator in String Comparison

The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.

  • Source

    CWE Catalog - 4.12

  • Identifier

    CWE-597

  • Status

    Draft

Contents

Description

In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.

String str1 = new String("Hello");
String str2 = new String("Hello");
if (str1 == str2) {
  System.out.println("str1 == str2");
}

However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method:

if (str1.equals(str2)) {
  System.out.println("str1 equals str2");
}

Example Two

In the example below, three JavaScript variables are declared and initialized with the same values. Note that JavaScript will change a value between numeric and string as needed, which is the reason an integer is included with the strings. An if statement is used to determine whether the values are the same.

<p id="ieq3s1" type="text">(i === s1) is FALSE</p>
<p id="s4eq3i" type="text">(s4 === i) is FALSE</p>
<p id="s4eq3s1" type="text">(s4 === s1) is FALSE</p>

var i = 65;
var s1 = '65';
var s4 = new String('65');

if (i === s1)
{

  document.getElementById("ieq3s1").innerHTML = "(i === s1) is TRUE";
}

if (s4 === i)
{

  document.getElementById("s4eq3i").innerHTML = "(s4 === i) is TRUE";
}

if (s4 === s1)
{

  document.getElementById("s4eq3s1").innerHTML = "(s4 === s1) is TRUE";
}

However, the body of the if statement will not be executed, as the "===" compares both the type of the variable AND the value. As the types of the first comparison are number and string, it fails. The types in the second are int and reference, so this one fails as well. The types in the third are reference and string, so it also fails.

While the variables above contain the same values, they are contained in different types, so the document.getElementById... statement will not be executed in any of the cases.

To compare object values, the previous code is modified and shown below to use the "==" for value comparison so the comparison in this example executes the HTML statement:

<p id="ieq2s1" type="text">(i == s1) is FALSE</p>
<p id="s4eq2i" type="text">(s4 == i) is FALSE</p>
<p id="s4eq2s1" type="text">(s4 == s1) is FALSE</p>

var i = 65;
var s1 = '65';
var s4 = new String('65');

if (i == s1)
{

  document.getElementById("ieq2s1").innerHTML = "(i == s1) is TRUE";
}

if (s4 == i)
{

  document.getElementById("s4eq2i").innerHTML = "(s4 == i) is TRUE";
}

if (s4 == s1)
{

  document.getElementById("s4eq2s1").innerHTML = "(s4 == s1) is TRUE";
}

Example Three

In the example below, two PHP variables are declared and initialized with the same numbers - one as a string, the other as an integer. Note that PHP will change the string value to a number for a comparison. An if statement is used to determine whether the values are the same.

var $i = 65;
var $s1 = "65";

if ($i === $s1)
{

  echo '($i === $s1) is TRUE'. "\n";
}
else
{

  echo '($i === $s1) is FALSE'. "\n";
}

However, the body of the if statement will not be executed, as the "===" compares both the type of the variable AND the value. As the types of the first comparison are number and string, it fails.

While the variables above contain the same values, they are contained in different types, so the TRUE portion of the if statement will not be executed.

To compare object values, the previous code is modified and shown below to use the "==" for value comparison (string converted to number) so the comparison in this example executes the TRUE statement:

var $i = 65;
var $s1 = "65";

if ($i == $s1)
{

  echo '($i == $s1) is TRUE'. "\n";
}
else
{

  echo '($i == $s1) is FALSE'. "\n";
}

See Also

Comprehensive Categorization: Comparison

Weaknesses in this category are related to comparison.

SEI CERT Perl Coding Standard - Guidelines 03. Expressions (EXP)

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP)

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.