Description: ------------ In Auth/Container.php the function verifyPassword() uses == to compare passwords (or the md5/crypted equivalents). This could result in a false equality due to php deciding that they are numeric strings, eg if one is "05" and the other "5". OK: this is most likely to happen in the 'none' encrypted case, but could theoretically in md5/crypt. strcmp() should be used to compare these strings. Test script: --------------- None, I read the code.

This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. I used (string)$password1 === (string)$password2 as it is 4 to 5 times as fast as strcmp yet still gives the same results.

Sorry Adam that doesn't fix it. Execute the following code to see what I mean: $a = "0001"; $b = "01"; var_dump((string)$a == (string)$b); var_dump(!strcmp($a, $b));

which is why I'm not using that code. try running this: $a = "0001"; $b = "01"; var_dump((string)$a === (string)$b); var_dump(!strcmp($a, $b));