Tag Archives: CWE- 597

CWE-597 – Use of Wrong Operator in String Comparison

Read Time:44 Second

Description

The product uses the wrong operator when comparing a string, such as using “==” when the .equals() method should be used instead.

In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-595
CWE-595
CWE-480

 

Consequences

Other: Other

 

Potential Mitigations

Phase: Implementation

Effectiveness: High

Description: 

Within Java, use .equals() to compare string values.
Within JavaScript, use == to compare string values.
Within PHP, use == to compare a numeric value to a string value. (PHP converts the string to a number.)

CVE References