VariantDraft

CWE-597Use of Wrong Operator in String Comparison

Category: other

Description

The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead. In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security.

Common consequences· 1

  • Other — Other

Potential mitigations· 1

  • [Implementation]Within Java, use .equals() to compare string values. Within JavaScript, use == to compare string values. Within PHP, use == to compare a numeric value to a string value. (PHP converts the string to a number.)

References

  1. https://cwe.mitre.org/data/definitions/597.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Incorrect Comparison
CWE
Use of Incorrect Operator
CWE
Incorrect Comparison Logic Granularity
CWE
Comparison of Object References Instead of Object Contents
CWE
Improper Adherence to Coding Standards
CWE
Operator Precedence Logic Error
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.