The following was posted to the Web Security Mailinglist: Unauthorized Access: Bypassing PHP strcmp(). A way to bypass PHP’s strcmp() binary safe string comparison function.