Perl provides two sets of comparison operators; : one set for working with numbers , and one set for working with strings.
Numbers | Strings |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Do not use the number comparison operators on non-numeric nonnumeric strings. Likewise, do not use the string comparison operators on numbers.
Noncompliant Code Example (
...
Numbers)
This noncompliant code example improperly uses eq to test two numbers for equality. Counterintuitively, this code prints false.
| Code Block | ||||
|---|---|---|---|---|
| ||||
my $num = 2; print "Enter a number\n"; my $num$user_num = 02<STDIN>; # ...chomp $user_num; if ($num eq "02"$user_num) {print "true\n"} else {print "false\n"}; |
This code will print true if the user enters 2, but false if the user enters 02,The counterintuitive result arises from the fact that $num is interpreted as a number. When it is initialized, the 02 string is converted to its numeric representation, which is 2. When it is compared, it is convered back to a string, but this time it has the value 2, and so the string comparison fails.
Compliant Solution (
...
Numbers)
This compliant colution solution uses ==, which interprets its arguments as numbers. Thus this This code therefore prints true, even though if the right argument to == is explicitly provided as a stringinitialized to some different string like 02.
| Code Block | ||||
|---|---|---|---|---|
| ||||
my $num = 2; print "Enter a number\n"; my $num$user_num = 02<STDIN>; # ...chomp $user_num; if ($num == "02"$user_num) {print "true\n"} else {print "false\n"}; |
Noncompliant Code Example (
...
Strings)
This noncompliant code example improperly uses == to test two strings for equality.
| Code Block | ||||
|---|---|---|---|---|
| ||||
sub check_password {
my $correct = shift;
my $password = shift;
# encrypt password
if ($password == $correct) {
return true;
} else {
return false;
}
}
|
The == operator first converts its arguments into numbers . This is done by extracting digits from the front of each arguments argument (along with a preceding + or -). Non-numeric Nonnumeric data in an argument is ignored, and the number consists of whatever digits were extractextracted. A string such as "goodpass" has no leading digits, and so it is thus converted to the numeral 0. Consequently, unless either $password or $correct contains leading digits, they will both be converted to 0 , and will therefore be considered equivalent.
Compliant Solution (
...
Strings)
This compliant colution solution uses eq, which interprets its arguments as strings.
| Code Block | ||||
|---|---|---|---|---|
| ||||
sub check_password {
my $correct = shift;
my $password = shift;
# encrypt password
if ($password eq $correct) {
return true;
} else {
return false;
}
}
|
...
Confusing the string comparison operators with numeric comparison operators can lead to incorrect program behavior or incorrect program data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP35-PL |
Low |
Likely |
Low | P9 | L2 |
Automated Detection
Tool | Diagnostic |
|---|---|
Perl::Critic | ValuesAndExpressions::ProhibitMismatchedOperators |
DoubledPrefix |
Bibliography
| Wiki Markup |
|---|
\[[Wall 2011|AA. Bibliography#Manpages]\] [perlfunc|http://perldoc.perl.org/perlop.html] |
...
EXP11-C. Do not apply operators expecting one type to data of an incompatible type 03. Expressions (EXP) EXP13-C. Treat relational and equality operators as if they were nonassociative