Categories
PHP

PHP strcmp() bypass

PHP strcmp() documentation here: https://www.php.net/manual/en/function.strcmp.php

If you pass an array to the strcmp() function instead of a string, PHP will throw a warning, but the compare result returns 0.

if(strcmp([], "text") == 0) {
echo 'This is 0';
} else {
echo 'This is not 0';
}

Running this PHP code we’d get:

Warning: strcmp() expects parameter 1 to be string, array given in <filename> on line <line number>
This is 0

This is useful to know when trying to bypass PHP strcmp() string comparison when doing Capture the Flag challenges.

This is also something you should keep in mind when writing secure PHP code