Setting $_GET[‘password’], for example. equal to an empty array, then strcmp would return a NULL. Due to some inherent weaknesses in PHP’s comparisons, NULL == 0 will return true.

If you get a close look at the source code above you will notice that the application uses strcmp on line 8 to check for the username and password and that can be bypassed with username[]=""&password[]="" like shown bellow.

Left-click: follow link, Right-click: select node, Scroll: zoom