Java String Comparison: == Caused Auth Bypass
Session token comparison fails with == when strings come from database — avoid NPE by calling equals() on constant side and prevent auth bypass..
20+ years shipping production Java in banking & fintech. Drawn from code that ran under real load.
- == compares memory addresses — never safe for string content
- equals() compares character sequence — your default for exact matches
- equalsIgnoreCase() compares case-insensitively — use for user input
- compareTo() returns negative/zero/positive — for sorting, not equality
- Always put the known string first: "constant".equals(variable) to avoid NPE
Imagine you have two identical birthday cards — same words, same design, printed separately. They look the same, but they're two different physical cards sitting in two different places. Java's == operator asks 'are these the exact same card?' while equals() asks 'do these cards say the same thing?' That distinction is everything in Java string comparison. When you compare strings the wrong way, your program silently does the wrong thing — no crash, just wrong answers.
String comparison is one of the most common operations in any Java program — checking if a user typed the right password, verifying that a city name matches a record, confirming that two product codes are identical. Get it wrong and your app lets the wrong user in, skips valid data, or produces bugs that are infuriatingly hard to track down because Java won't throw an error — it'll just quietly return false when you expected true.
The root of the confusion is that Java strings are objects, not primitives like int or boolean. When you write 'hello' in two places in your code, Java sometimes reuses the same object in memory and sometimes creates a brand new one — and that inconsistency is exactly what makes the naive comparison operator (==) so dangerous. You need the right tool for the job, and Java gives you several.
By the end of this article you'll know the difference between ==, equals(), equalsIgnoreCase(), and compareTo(). You'll understand why each one exists, when to reach for each, and you'll be able to spot the classic beginner mistake in a code review before it ships to production.
Why String Comparison in Java Is Not What It Seems
String comparison in Java is the operation of checking whether two String objects are equal in value or refer to the same memory location. The core mechanic is the distinction between == (reference equality) and .equals() (value equality). This is not a style preference — it is a semantic fork that can break authentication, caching, and data integrity.
Internally, Java maintains a string constant pool. When you write String a = "hello"; String b = "hello";, both references point to the same interned object, so == returns true. But if you read from a file, API, or use new String("hello"), the JVM creates a new heap object, and == returns false even though the characters are identical. The .equals() method performs a character-by-character O(n) comparison (after a quick reference check), while == is O(1) but only checks pointer identity.
Use .equals() for all logical value comparisons — always. Use == only when you explicitly need to check if two references point to the exact same object, such as in identity-sensitive collections or sentinel values. In production, a single == where .equals() was intended can silently bypass security checks, corrupt hash-based caches, or cause infinite loops in sets. Treat == on Strings as a code smell unless you have a deliberate reason.
Why == Breaks for Strings — The Memory Address Problem
In Java, every object lives at a specific address in memory — think of it like a house number. The == operator doesn't compare what's inside two strings. It compares their house numbers. If both variables point to the same house, == returns true. If they point to different houses — even if both houses are identical on the inside — == returns false.
Java has a clever optimisation called the String Pool. When you write a string literal directly in your code (like String city = "London"), Java stores it in a shared pool and reuses it if the same literal appears again. That's why == sometimes appears to work with literals — both variables accidentally point to the same pooled object. But the moment you create a string with new String("London") or get one from user input, you're building a brand new house at a brand new address, and == will fail you.
This is the single most common Java beginner mistake, and it's dangerous precisely because it works some of the time — just not reliably.
equals() for all string content comparisons.Visualizing the String Pool: Why == Behaves Differently for Literals vs new String()
Imagine the String Pool as a shared whiteboard where Java writes down every literal string it encounters. When your code says String a = "hello", Java checks the whiteboard: if "hello" is already written, it hands you a pointer to that existing entry. When you write String b = "hello", it finds the same entry and gives you the same pointer — so a == b is true because both point to the exact same object on the whiteboard.
Now picture the heap as a separate bulletin board where new String() objects get pinned. When you write String c = new String("hello"), Java creates a brand new pin on the bulletin board with the text "hello", regardless of what's on the whiteboard. So a == c compares the whiteboard pointer against the bulletin board pointer — different locations, even though the text reads the same. That's why == returns false.
This diagram represents the difference:
``` STRING POOL (shared whiteboard) ┌──────────────────────────┐ │ "hello" (address: 0x1) │ └──────────────────────────┘ ^ ^ | | String a String b (both point to 0x1)
HEAP (separate bulletin board) ┌──────────────────────────┐ │ "hello" (address: 0x4) │ ← new String("hello") └──────────────────────────┘ ^ | String c (points to 0x4, different from pool)
a == b → true (both reference 0x1) a == c → false (0x1 vs 0x4) a.equals(c) → true (character content matches) ```
String() always gets a unique identity.intern() on all database strings to force them into the pool, hoping to make == work. It worked — until the string set grew beyond the metaspace limit and caused an OutOfMemoryError.equals() for content comparison.equals() for content comparison, and use identityHashCode() only for debugging pool behaviour.equals() and equalsIgnoreCase() — The Right Way to Compare Strings
The equals() method is defined on every Java object, but String overrides it to do something genuinely useful: it compares the actual sequence of characters, one by one, and returns true only if every single character matches in the exact same order. This is what you want 99% of the time.
equals() is case-sensitive — 'Java' and 'java' are not equal to it, because uppercase J and lowercase j are different characters. That's often exactly what you need (passwords, for instance, should be case-sensitive). But sometimes you're comparing city names or product categories where 'london', 'London', and 'LONDON' all mean the same thing. That's where equalsIgnoreCase() comes in — it does the same character-by-character comparison but ignores the case of each letter.
One important habit: always call equals() on the known, non-null string rather than on the variable that might be null. If you call equals() on a null reference, Java throws a NullPointerException. Flipping it around (calling it on the literal or the trusted value) is a small change that prevents a whole class of runtime crashes.
Objects.equals() — Null-Safe Comparison Without the Yoda Condition
The Yoda condition ("constant".equals(variable)) works well when you have a known literal on one side, but what if both strings are unknown variables? For example, when comparing two fields from different sources, both could be null. A manual check would be: if (a != null ? a.equals(b) : b == null). That's verbose and error-prone.
Java 7 introduced java.util.Objects.equals(a, b) to handle this cleanly. It returns true if both arguments are null, false if exactly one is null, and otherwise calls a.equals(b). This is null-safe without requiring you to know which variable is the 'constant'. It's the recommended approach for comparing two unknown string variables.
Objects.equals() is also widely used in stream operations, custom equals() implementations, and anywhere you want defensive, readable code.
Objects.equals() is part of the standard library since Java 7. No external dependencies needed. Use it when both strings could be null, or when writing generic code that handles arbitrary objects.Objects.equals() eliminated a NullPointerException that occurred during a configuration migration when only one side was null.Objects.equals() over manual null checks.StringUtils.equalsAny() — Matching a String Against Multiple Candidates
When you need to check if a string equals any of several possible values, the naive approach is a chain of OR conditions: if (status.equals("ACTIVE") || status.equals("PENDING") || status.equals("IN_PROGRESS")) { ... }. This quickly becomes unwieldy with more values and doesn't handle null gracefully.
Apache Commons Lang's StringUtils.equalsAny() solves this with a single method call: it takes the string to check and a varargs of candidates, returns true if the string equals any of them (using null-safe comparison under the hood). It's clean, readable, and handles null input on either side.
This is especially useful for role checks, status validations, and multi-option matching in business logic.
StringUtils.equals() — Null-Safe String Comparison with Apache Commons Lang
While Objects.equals() handles null-safe comparison between two variables, Apache Commons Lang's StringUtils.equals() offers the same benefit with additional convenience: it's specifically designed for CharSequence (String, StringBuilder, etc.) and is more concise in code. This is a core utility method that many production codebases already depend on.
StringUtils.equals(str1, str2) behaves identically to Objects.equals() for strings: returns true if both are null, false if exactly one is null, and otherwise calls str1.equals(str2). The key difference is that StringUtils.equals() is part of a widely-adopted library that also provides null-safe trim(), isEmpty(), and other string utilities.
If your project already uses Apache Commons Lang, prefer StringUtils.equals() over Objects.equals() for consistency. If you're not using Commons Lang, Objects.equals() is the standard library equivalent.
One subtle edge case: StringUtils.equals() works with any CharSequence, including StringBuilder and StringBuffer, which Objects.equals() does for any Object but without type safety.
For case-insensitive null-safe comparison, use StringUtils.equalsIgnoreCase() — it combines the null safety of StringUtils with case insensitivity, something the standard library does not provide directly.
StringUtils.equals() for consistency with other StringUtils calls. If you want zero external dependencies, use Objects.equals(). For case-insensitive null-safe comparison, StringUtils.equalsIgnoreCase() is the only option — the standard library has no equivalent.StringUtils.equals() calls. This reduced code complexity and eliminated a class of NPE bugs that occurred when null propagation changed upstream.Objects.equals() or StringUtils.equals().StringUtils.equals() and equalsIgnoreCase() provide null-safe comparison with Apache Commons Lang. Use when the library is already present; otherwise rely on Objects.equals() for null-safe equality.compareTo() — When You Need to Know Greater Than, Less Than, or Equal
equals() is a yes-or-no answer: are these the same? But sometimes you need to know the relationship between two strings — specifically, which one comes first alphabetically. That's what compareTo() is built for. It's used under the hood whenever you sort a list of strings.
compareTo() returns an integer, not a boolean. The rule is simple: if the result is zero, the strings are equal. If it's negative, the calling string comes before the argument alphabetically. If it's positive, the calling string comes after. The exact number doesn't matter much — only whether it's negative, zero, or positive.
Java determines the order by comparing characters using their Unicode values. 'A' (65) comes before 'B' (66), and uppercase letters come before lowercase ones in Unicode — which can produce surprising results if you're sorting mixed-case data. For case-insensitive sorting, use compareToIgnoreCase() instead.
You'll use compareTo() most when implementing sorting logic — for example, putting a list of customer names in alphabetical order or checking if one version string is ahead of another.
String Comparison Method Reference Table
Choosing the right comparison method depends on your need for null safety, case sensitivity, and return type. The table below summarises every method covered in this article, including library alternatives.
| Method | Null-safe? | Case-sensitive? | Return type | Typical use case |
|---|---|---|---|---|
== | Yes (references) | N/A | boolean | Check if two variables point to same object (rarely correct for strings) |
String.equals(Object) | No (throws NPE on null caller) | Yes | boolean | Exact content match when caller is known non-null |
String.equalsIgnoreCase(String) | No (throws NPE on null caller) | No | boolean | Case-insensitive match when caller is safe |
String.compareTo(String) | No (throws NPE on null caller) | Yes | int (neg/zero/pos) | Lexicographic ordering for sorting |
String.compareToIgnoreCase(String) | No (throws NPE on null caller) | No | int (neg/zero/pos) | Case-insensitive ordering |
Collator.compare(String, String) | No (throws NPE on either null) | Configurable | int (neg/zero/pos) | Locale-aware sorting |
Objects.equals(Object, Object) | Yes | Calls equals() of first arg | boolean | Comparing two unknown variables that may be null |
StringUtils.equals(CharSequence, CharSequence) | Yes | Yes | boolean | Null-safe exact match (Commons Lang) |
StringUtils.equalsAny(CharSequence, CharSequence...) | Yes | Yes | boolean | Check if string matches any of several candidates (Commons Lang) |
Key to production decisions: - If both strings are variables and null is possible → Objects.equals() - If you have a known literal → "literal".equals(variable) (null-safe via Yoda) - If you need case-insensitivity → add IgnoreCase suffix - If you need sorting → compareTo() family, or Collator for locales - If you need multi-match → StringUtils.equalsAny() or a Set.contains()
Objects.equals() for variable-to-variable comparisons and Yoda for literal-variable comparisons reduces cognitive load and prevents NPEs in edge cases.Gotchas, Common Mistakes, and How to Fix Them
Even developers with a year of Java experience fall into the same traps with string comparison. These aren't theoretical edge cases — they're bugs that make it into production.
The first and most damaging mistake is using == for string content comparison. The second is forgetting that equals() is case-sensitive when your use case isn't. The third is calling equals() on a variable that might be null — and not defending against it.
There's also a subtler trap: comparing strings that have invisible whitespace. If a user copies and pastes a username and accidentally includes a trailing space, equals() returns false even though the strings look identical on screen. Always trim user input before comparing it. The trim() method removes leading and trailing whitespace, and combined with equalsIgnoreCase() it handles most real-world input messiness cleanly.
Understanding these pitfalls is what separates someone who writes code that works in demos from someone who writes code that holds up in production.
trim() before any comparison. Combine it with equalsIgnoreCase() and the null-safe pattern and you've handled the three most common string comparison bugs in one line: "expected".equalsIgnoreCase(userInput.trim())Trim() fixed it, but the real lesson is to always sanitize input early.equals(), invisible whitespace.variable.trim()).Locale-Aware String Comparison with Collator
compareTo() and compareToIgnoreCase() work fine for English, but they start failing when you deal with languages that have special characters. For example, 'é' should sort between 'e' and 'f' in French, but compareTo() puts it after 'z' because its Unicode value (233) is much higher. The same issue happens with German 'ö', Spanish 'ñ', and many other accented characters.
Java provides java.text.Collator for locale-sensitive string comparison. It allows you to define a comparison strength (PRIMARY = ignores case and accents, SECONDARY = ignores case but respects accents, TERTIARY = respects both). For example, Collator.getInstance(Locale.FRENCH) will correctly sort 'côte' before 'côté' before 'coter'.
If your application serves an international user base, using Collator instead of compareTo() for sorting is critical for correct localization.
Practice Problems: Master Java String Comparison
Test your understanding of string comparison in Java with these practical problems. Each problem targets a specific gotcha covered in this article. Work through them in order — the first two are straightforward, the last two require more thought.
Problem 1: The Null-Safe Check You're comparing two strings from different data sources: tokenFromDb (could be null) and tokenFromRequest (could be null). Write a single line that returns true only when both are non-null and equal, or both are null.
Problem 2: Case-Insensitive City Lookup Given a user input like "new york" and a database entry "New York", write a comparison that correctly matches them while trimming whitespace.
Problem 3: Sorting with Foreign Characters You have a list of German city names: [\"München\", \"Berlin\", \"Köln\", \"Düsseldorf\"]. Sort them using the correct German alphabetical order. Which method do you use and why?
Problem 4: Debug the Bug Examine this code and identify all bugs: `` String status = getStatusFromSystem(); // might be null if (status == \"ACTIVE\") { grantAccess(); } `` List every bug and write the corrected version.
Answer Key (for self-check): 1. Objects.equals(tokenFromDb, tokenFromRequest) or StringUtils.equals(tokenFromDb, tokenFromRequest) 2. \"New York\".equalsIgnoreCase(userInput.trim()) — assumes userInput is non-null; otherwise wrap in null check. 3. Use Collator.getInstance(Locale.GERMAN).compare() because compareTo() sorts by Unicode which places 'ö' after 'z', breaking German alphabetical order. 4. Bugs: (a) Using == instead of .equals() — fails if status is from heap (e.g., database). (b) Potential NPE if status is null, but == does not throw. (c) Case sensitivity? Not a bug if \"ACTIVE\" is always uppercase. Fix: \"ACTIVE\".equals(status) if null is possible, else status.equals(\"ACTIVE\") after null check.", "code": { "language": "java", "filename": "PracticeProblems.java", "code": "public class PracticeProblems { public static void main(String[] args) { // Problem 1 solution String tokenFromDb = null; String tokenFromRequest = null; boolean bothNullOrEqual = Objects.equals(tokenFromDb, tokenFromRequest); System.out.println(\"Both null: \" + bothNullOrEqual); // true
tokenFromDb = \"abc123\"; tokenFromRequest = null; bothNullOrEqual = Objects.equals(tokenFromDb, tokenFromRequest); System.out.println(\"One null: \" + bothNullOrEqual); // false
// Problem 2 solution String userInput = \" new york \"; String dbCity = \"New York\"; boolean match = \"New York\".equalsIgnoreCase(userInput.trim()); System.out.println(\"City match: \" + match); // true
// Problem 3 solution import java.text.Collator; import java.util.Locale; List<String> germanCities = Arrays.asList(\"München\", \"Berlin\", \"Köln\", \"Düsseldorf\"); Collator germanCollator = Collator.getInstance(Locale.GERMAN); germanCollator.setStrength(Collator.PRIMARY); germanCities.sort(germanCollator); System.out.println(\"Sorted: \" + germanCities); // Output: [Berlin, Düsseldorf, Köln, München] (correct German order)
// Problem 4 corrected String status = getStatusFromSystem(); // assume this method exists if (\"ACTIVE\".equals(status)) { grantAccess(); } } }", "output": "Both null: true One null: false City match: true Sorted: [Berlin, Düsseldorf, Köln, München]" }, "callout": { "type": "info", "title": "Pro Tip for Practice:", "text": "After solving each problem, run the solution against edge cases: null inputs, empty strings, whitespace-only strings (\" \"), and mixed Unicode normalization forms. These are the exact edges where production bugs hide." }, "production_insight": "During a hiring exercise, candidates who solved problems 3 and 4 correctly demonstrated a deep understanding of string comparison beyond the trivial \"use equals\". In production, problems 3 (locale sorting) and 4 (== ) are the ones that most frequently cause production incidents. Rule: Always include a locale and null-safety check in your code review checklist.", "key_takeaway": "Practice reinforces the three pillars of string comparison: null safety, case sensitivity, and locale awareness. Debugging real-world code requires identifying all three simultaneously." } ]
The compareTo() Pitfall: Why Your Sorted List Just Went Haywire
You've probably used compareTo() to sort strings alphabetically. What you didn't know is that it compares Unicode values — not alphabetical order. That means uppercase letters come before lowercase. All of them. 'Zebra' sorts before 'apple'. Your users will notice. Your product manager will ask why the dropdown looks like a toddler sorted it.
The fix is deceptively simple: use compareToIgnoreCase() when you don't care about case. But here's the real trap — locale. compareToIgnoreCase() still uses default locale rules. In Turkish, 'I' and 'İ' are different letters. Your app will break for Turkish users. The only safe path for multilingual sorting is Collator.getInstance(locale).compare() — we covered that in the Collator section. But remember: compareTo() is for machine comparison, not human sorting.
The Three Variants of compareTo() — And When Each One Bites You
Java's String class gives you three flavors of compareTo(). Each one has a specific use case, and one of them is practically useless in production. Let's burn through them.
First: compareTo(Object obj). This overload takes an Object, not a String. If you pass something that isn't a String, it throws a ClassCastException at runtime. This is the legacy version from Java 1.0. You should never use it. Generics exist now. If you see this in a codebase, flag it in code review.
Second: compareTo(String anotherString). This is the workhorse. It compares two strings lexicographically based on Unicode values. Use it for programmatic ordering — tree maps, sorted sets, priority queues. Just remember the case problem we discussed.
Third: compareToIgnoreCase(String str). This converts both strings to uppercase via Character.toUpperCase() before comparing. Note: it doesn't use full locale rules. It's an optimization over manually calling toUpperCase() on both strings before compareTo(). But for most applications, it's close enough. If you need true locale-aware comparison, reach for Collator.
Comparing Substrings Without the Boilerplate
You don't need to extract substrings before comparing them. The regionMatches() method lets you directly compare portions of two strings. This is useful when you're parsing structured data — CSV headers, log prefixes, or protocol messages — without copying memory.
The method signature is: regionMatches(boolean ignoreCase, int toffset, String other, int ooffset, int len). The first parameter is whether to ignore case. Then you specify where to start in your string, the other string, where to start in theirs, and how many characters to compare.
Why does this matter? Because substring() in Java 6 and earlier created a new String object sharing the same underlying char array. Modern Java avoids that, but regionMatches() is still more direct. More importantly, it makes your intent explicit: "I only care about this part." It's also null-safe if you check first — a common pattern when parsing log lines where the string could be malformed.
substring().equals() because it doesn't create intermediate String objects. Use it in tight loops or when parsing high-volume log data.Stop Casting: int compareTo(Object obj) Killed Clean Code
The legacy compareTo(Object obj) signature exists only because Comparable<T> didn't always have generics. You'll find it in old code, ancient libraries, and anything still running on Java 1.4.
The problem? You must cast the parameter manually. One wrong cast and you get ClassCastException at runtime — not compile time. Production crashes from a misplaced object reference. The return value is still -1, 0, or 1, but your code looks like a horror show.
Never write new code using this signature. If you're stuck maintaining it, wrap every cast in a try-catch or at least validate instanceof first. The generic Comparable<String> gives you compile-time safety. Use it. Your coworkers will thank you.
compareToIgnoreCase() — When Case Doesn't Matter But Order Does
Case-insensitive sorting is a common requirement: usernames, email addresses, product codes. You could call toLowerCase() on every comparison, but that creates garbage objects and slows down sorting on large datasets.
compareToIgnoreCase() handles this natively. It uses a case-insensitive comparator internally — no temporary strings, no allocation, no surprises. Returns negative, zero, or positive just like compareTo(), but 'Apple' and 'apple' become equal for ordering.
There's a catch: locale. This method uses default locale rules. If you need case-insensitive sorting for Turkish or Lithuanian, use Collator.getInstance(locale) instead. Otherwise, this is your fastest zero-allocation path to case-blind ordering.
Collections.sort() or streams, pass String::compareToIgnoreCase as the comparator. No lambda overhead, native performance.Using String.equalsIgnoreCase() — When Case Doesn't Matter But Correctness Does
Many developers write custom loops that convert both strings to lowercase before comparing them. This is slow, memory-heavy, and subtly wrong. String.equalsIgnoreCase() avoids these problems entirely by comparing characters case-insensitively without allocating new strings. It uses Character.toLowerCase() and Character.toUpperCase() internally to handle Unicode correctly, unlike manual .toLowerCase().equals(), which can fail for certain international characters like the Turkish 'İ' and 'ı'. The method works on any two strings including literals, variables, and null — but throws NullPointerException if either argument is null, so pair it with a null check or Objects.equals() for safety. Use equalsIgnoreCase() whenever your business logic requires ignoring case for equality, such as comparing usernames, email addresses, or command inputs. It is faster and more readable than manual conversion and avoids the hidden bugs introduced by locale-sensitive lowercasing.
String.equalsIgnoreCase() for null-safe, locale-aware case-insensitive equality without temporary allocations.Using User-Defined Comparison Functions
When built-in comparison methods don't fit your needs — like ignoring whitespace, comparing only alphabetic characters, or applying custom weightings — create your own comparison function. Implement java.util.Comparator<String> and override the compare() method. This keeps your logic reusable and testable, and integrates cleanly with sorting APIs like Collections.sort() and Arrays.sort(). For single-use comparisons, write a lambda: (a, b) -> customCompare(a, b). Remember that a valid comparator must return a negative integer, zero, or a positive integer — any other contract violation breaks sorting algorithms. User-defined functions also let you normalize strings before comparison (strip punctuation, trim whitespace) without polluting your data. They follow the same contract as String.compareTo() and work with all JDK sorting and searching utilities. Avoid writing comparison logic inline in multiple places; encapsulate it once and reuse.
Overview: Why Java String Comparison Deserves Your Full Attention
String comparison in Java is deceptively simple yet perpetually dangerous. Every Java developer learns == doesn't work for content equality within their first week, but the rabbit hole goes far deeper. The fundamental tension lies between Java's object-oriented nature and the primitive-like behavior strings demand. A single misstep with null references, locale sensitivity, or Unicode normalization can corrupt data pipelines, break sorting algorithms, or leak security boundaries in production. The core tools — equals(), compareTo(), equalsIgnoreCase(), and compareToIgnoreCase() — each serve distinct purposes that beginners often conflate. equals() checks logical equality; compareTo() imposes ordering. Ignoring case changes semantics and performance. Beyond these basics, Collator handles linguistic rules for internationalized applications, while custom comparators give you precise control over complex sorting logic. Understanding these differences isn't academic — it's the difference between a correct, maintainable application and one that silently corrupts user data. This guide systematically reveals each comparison technique's contract, pitfalls, and proper use cases so you never guess again.
String.intern() or literal reuse may mask bugs in development, but runtime-loaded strings (from files, network, databases) will break your logic silently.equals() for equality, compareTo() for ordering, never == for content.Conclusion: Master String Comparison or Your Code Will Bleed
String comparison in Java is a battlefield where correct code separates professionals from amateurs. The journey through equals() vs compareTo(), case sensitivity, locale-aware Collator usage, and custom comparators reveals one truth: there is no universal 'best' approach — only the right tool for each context. Ignoring Collator in global applications produces culturally offensive sorting, while misusing compareTo() in sorted collections corrupts data structure invariants. The Java String API gives you powerful, precise instruments; understanding their contracts prevents the subtle bugs that evade unit tests and surface in production only when real-world, varied input arrives. Practice the common mistakes and always test with null, empty strings, Unicode edge cases (like 'é' vs 'é'), and different locales. Your future self — and your users — will thank you for the discipline. This is not abstract advice: your next bug fix or feature implementation will demand these choices. Make them knowingly.
Authentication Bypass Caused by == Instead of equals()
String() or char array conversion), == returned false even for identical text.equals() for all string content comparisons. Added a static analysis rule (PMD CompareObjectsWithEquals) to prevent recurrence.- Never use == for string content — even if it 'works' in tests, it will break in production when strings come from non-literal sources.
- Enforce code review checks: any == between String variables should be flagged automatically.
- Use
equals()on the constant side to avoid NullPointerException: "expected".equals(variable)
equals(). Use equals() or equalsIgnoreCase() as appropriate. Also print the Unicode code points with codePointAt() to detect invisible differences.Normalizer.normalize().System.out.println(a == b); // false? then check a.equals(b)System.out.println(a.equals(b)); // if true, you found the bug20+ years shipping production Java in banking & fintech. Drawn from code that ran under real load.
That's Strings. Mark it forged?
19 min read · try the examples if you haven't