If JavaScript is your programming language of choice, you probably don't have to worry about string concatenation all that much. Instead, one of the recurring problems you might encounter is having to wait for JavaScript's npm package manager to install all of the required dependencies. If that sounds all too familiar, and you have some time on your hands until npm is done, you might as well spend it reading about how string concatenation works in other languages.
In this blog post, we examine why string concatenation is a complicated topic, why you can't concatenate two values of a different type in low-level programming languages without conversion, and how string concatenation can lead to vulnerabilities. We'll also explain how format strings that contain placeholders for certain types of data can cause serious trouble if they are controlled by an attacker. And, we'll conclude with a simple way to fix them.
Concatenate Strings in Groovy
1. Introduction
Groovy has two ways of instantiating strings. One is plain java.lang.String and the second is groovy.lang.GString.
Plain string is represented with a single or double quote. However, the single quote doesn't support interpolation. Interpolation is supported only with a double quote, and when it is present, it becomes GString. In this article, we will see the different types of string representations in Groovy and how to concatenate them.
JDK 9/JEP 280: String Concatenations Will Never Be the Same
JEP 280 ("Indify String Concatenation") was implemented in conjunction with JDK 9 and, according to its "Summary" section, "Change[s] the static String-concatenation bytecode sequence generated by javac to use invokedynamic calls to JDK library functions." The impact this has on string concatenation in Java is most easily seen by looking at the javap output of classes using string concatenation that is compiled in pre-JDK 9 and post-JDK 9 JDKs.
The following simple Java class named "HelloWorldStringConcat" will be used for the first demonstration.