So we need to get $_REQUEST[“passwd”] to be greater than 10, AND strstr($_REQUEST[“passwd”],”iloveyou”) to evaluate to true. Let’s examine the behavior of the PHP “>” operator:
According to php.net “If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically”. So it looks like this condition will evaluate true when $passwd is a number or starts with a number that is greater than 10, even if letters follow that number. Great! So we need to get strstr($_REQUEST[“passwd”],”iloveyou”) to evaluate true and we’ll be set. The php.net manual says strstr() “Returns the portion of string [starting at the match, to the end of the string], or FALSE if needle is not found”. Here’s another example to chew on:
We should have all the information we need to win now: