Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-597 (在字符串比较中使用了错误的操作符) — Vulnerability Class 3

3 vulnerabilities classified as CWE-597 (在字符串比较中使用了错误的操作符). AI Chinese analysis included.

CWE-597 represents a logical error in programming where developers incorrectly use equality operators, such as “==” in Java, to compare string values instead of invoking appropriate comparison methods like .equals(). This weakness stems from confusing reference equality with content equality, leading to unintended control flow decisions. Attackers typically exploit this by providing input that results in different object instances with identical values, causing the program to bypass critical security checks or validation logic. Although often resulting in mere functional bugs, this flaw can enable authentication bypasses or data integrity violations if security-critical strings are mishandled. Developers prevent this by consistently using language-specific string comparison functions that evaluate character sequences rather than memory addresses, ensuring robust and predictable application behavior across all input scenarios.

MITRE CWE Description
The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead. In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security.
Common Consequences (1)
OtherOther
Mitigations (1)
ImplementationWithin Java, use .equals() to compare string values. Within JavaScript, use == to compare string values. Within PHP, use == to compare a numeric value to a string value. (PHP converts the string to a number.)
Effectiveness: High
Examples (2)
In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.
String str1 = new String("Hello"); String str2 = new String("Hello"); if (str1 == str2) { System.out.println("str1 == str2"); }
Bad · Java
if (str1.equals(str2)) { System.out.println("str1 equals str2"); }
Good · Java
In the example below, three JavaScript variables are declared and initialized with the same values. Note that JavaScript will change a value between numeric and string as needed, which is the reason an integer is included with the strings. An if statement is used to determine whether the values are the same.
<p id="ieq3s1" type="text">(i === s1) is FALSE</p> <p id="s4eq3i" type="text">(s4 === i) is FALSE</p> <p id="s4eq3s1" type="text">(s4 === s1) is FALSE</p> var i = 65; var s1 = '65'; var s4 = new String('65'); if (i === s1) { document.getElementById("ieq3s1").innerHTML = "(i === s1) is TRUE"; } if (s4 === i) { document.getElementById("s4eq3i").innerHTML = "(s4 === i) is TRUE"; } if (s4 === s1) { document.getElementById("s4eq3s1").innerHTML = "(s4 === s1) is TRUE"; }
Bad · JavaScript
<p id="ieq2s1" type="text">(i == s1) is FALSE</p> <p id="s4eq2i" type="text">(s4 == i) is FALSE</p> <p id="s4eq2s1" type="text">(s4 == s1) is FALSE</p> var i = 65; var s1 = '65'; var s4 = new String('65'); if (i == s1) { document.getElementById("ieq2s1").innerHTML = "(i == s1) is TRUE"; } if (s4 == i) { document.getElementById("s4eq2i").innerHTML = "(s4 == i) is TRUE"; } if (s4 == s1) { document.getElementById("s4eq2s1").innerHTML = "(s4 == s1) is TRUE"; }
Good · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2021-4259 phpRedisAdmin login.inc.php authHttpDigest wrong operator in string comparison — phpRedisAdmin 5.0 Medium2022-12-19
CVE-2022-36072 SilverwareGames.io used == for hashing instead of === — silverwaregames-io-issue-tracker 5.9 Medium2022-09-06
CVE-2021-3797 Use of Wrong Operator in String Comparison in hestiacp/hestiacp — hestiacp/hestiacp 9.8 -2021-09-15

Vulnerabilities classified as CWE-597 (在字符串比较中使用了错误的操作符) represent 3 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.