logo

Comparison of Incompatible Types

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when code directly compares two values of fundamentally different data types, which can lead to unreliable or incorrect results because the comparison logic doesn't handle the type mismatch properly.

Extended Description

In strictly-typed languages like C or C++, developers might try to force a comparison by casting one value to match the other's type. However, this manual conversion doesn't guarantee a semantically correct or safe comparison, as the underlying meaning or representation of the data may be distorted during the cast, leading to logic errors. In loosely-typed languages like JavaScript or PHP, the problem often happens implicitly. The language's internal type coercion rules automatically convert values during comparison, which can produce surprising outcomes—like a string "123" being treated as the number 123, or "0" being evaluated as false. Developers must explicitly validate and convert types before comparing to ensure the logic behaves as intended.
Common Consequences 1
Scope: Other

Impact: Varies by Context
Potential Mitigations 1
Phase: Testing
Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
Applicable Platforms
Languages:
JavaScript : UndeterminedPHP : UndeterminedNot Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Incorrect Comparison (CWE-697)