SEI CERT Perl Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This noncompliant code example improperly uses eq to test two numbers for equality. Counterintuitively, this code prints false.

Code Block
bgColor#ffcccc
langperl
my $num = 2;
print "Enter a number\n";
my $num$user_num = 02<STDIN>;
# ...chomp $user_num;
if ($num eq "02"$user_num) {print "true\n"} else {print "false\n"};

This code will print true if the user enters 2, but false if the user enters 02,The counterintuitive result arises because $num is interpreted as a number. When it is initialized, the 02 string is converted to its numeric representation, which is 2. When it is compared, it is converted back to a string, but this time it has the value 2, so the string comparison fails.

Compliant Solution (Numbers)

This compliant solution uses ==, which interprets its arguments as numbers. This code therefore prints true even though if the right argument to == is explicitly provided as a stringinitialized to some different string like 02.

Code Block
bgColor#ccccff
langperl
my $num = 2;
print "Enter a number\n";
my $num$user_num = 02<STDIN>;
# ...chomp $user_num;
if ($num == "02"$user_num) {print "true\n"} else {print "false\n"};

...

Code Block
bgColor#ffcccc
langperl

sub check_password {
  my $correct = shift;
  my $password = shift;
  # encrypt password
  if ($password == $correct) {
    return true;
  } else {
    return false;
  }
}

The == operator first converts its arguments into numbers by extracting digits from the front of each argument (along with a preceding + or -). Nonnumeric data in an argument is ignored, and the number consists of whatever digits were extracted. A string such as "goodpass" has no leading digits and , so it is thus converted to the numeral 0. Consequently, unless either $password or $correct contains leading digits, they will both be converted to 0 and will be considered equivalent.

...

Code Block
bgColor#ccccff
langperl

sub check_password {
  my $correct = shift;
  my $password = shift;
  # encrypt password
  if ($password eq $correct) {
    return true;
  } else {
    return false;
  }
}

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

EXP35-PL

low Low

likely Likely

low Low

P9

L2

Automated Detection

Tool

Diagnostic

Perl::Critic

ValuesAndExpressions::ProhibitMismatchedOperators

Bibliography

...

...

[

...

CPAN

...

]Elliot Shank,

...

Perl-Critic-1.116 ProhibitMismatchedOperators
[Wall 2011]perlop

 

...

Image Added Image Added Image Added|http://search.cpan.org/~elliotjs/Perl-Critic-1.116/] [ProhibitMismatchedOperators|http://search.cpan.org/~elliotjs/Perl-Critic-1.112_002/lib/Perl/Critic/Policy/ValuesAndExpressions/ProhibitMismatchedOperators.pm] \[[Wall 2011|AA. Bibliography#Manpages]\] [perlop|http://perldoc.perl.org/perlop.html] manpageEXP11-C. Do not apply operators expecting one type to data of an incompatible type      03. Expressions (EXP)      EXP13-C. Treat relational and equality operators as if they were nonassociative