https://programming.dev/post/7789832
*removed externally hosted image*
I still don't understand the
===
operatorEdit: I think a more type strict
==
? Pretty sure I understand the point of typescript now.> 1 == 1 true > 1 == '1' true > 1 === '1' false
(from node REPL)
Basically it's the real equals sign *removed externally hosted image*
The short answer is that your language needs === when it fucked up the semantics of ==, but it's also too popular and you can't fix it without breaking half the web.
JS's
==
has some gotchas and you almost never want to use it. So===
is what==
should have been.All examples are true:
"1" == true [1, 2] == "1,2" " " == false null == undefined
It isn't that insane. But some invariants that you may expect don't hold.
"" == 0 "0" == 0 "" != "0"
It's also important if you're checking hashes (at least, it was - if you're using correct hashing algorithm that isn't ancient, you will not have this problem).
Because if you take for example "0e462097431906509019562988736854" (which is md5("240610708"), but also applicable to most other hashing algorithms that hash to a hex string), if("0e462097431906509019562988736854" == 0) is true. So any other data that hashes to any variantion of "0e[1-9]+" will pass the check, for example:
md5("240610708") == md5("hashcatqlffzszeRcrt")
that equals to
"0e462097431906509019562988736854" == "0e242700999142460696437005736231"
which thanks to scientific notation and no strict type checking can also mean
0462097431906509019562988736854 == 0242700999142460696437005736231
which is
0 == 0
`I did use md5 as an example because the strings are pretty short, but it's applicable to a whole lot of other hashes. And the problem is that if you use one of the strings that hash to a magic hash in a vulnerable site, it will pass the password check for any user who's password also hashes to a magic hash. There's not really a high chance of that happening, but there's still a lot of hashes that do hash to it.
If you're checking passwords, you should be using constant time string checking, anyway.
More likely, you should let your bcrypt library do it for you.
Like
==
but more strict. The==
operator will do type conversion, so0 == ''
will actually be true, as an example. Sometimes (honestly, most times) you may want to compare more strictly.See this StackOverflow answer: https://stackoverflow.com/questions/359494/which-equals-operator-vs-should-be-used-in-javascript-comparisons
eight equals equals equals equals equals equals equals equals equals capital d tilde tilde
== same (after magic) === same and same type (in Javascript) ==== same and same type and same actual type (in the backend before conversion to JSON) ===== same and same type and same actual type and same desired type (what the customer wanted)