checking login with php -

i'm making api simple forum ,, trying check login php

on control page : checklogin.php

<?php   error_reporting(e_all); ini_set('display_errors', 1);  if(!isset($_post['username']) or (!isset($_post['password']))) {         die('type username & password'); } require_once('usersapi.php');   if(empty($_post['username']) || empty($_post['password'])){         tinyf_db_close();         die('bad user info'); } $user = tinyf_users_get_by_name($_post['username']);  if(!$user) {         die('bad user'); } //check connection if mysqli couldn't fetch  $pass = md5(mysqli_real_escape_string($tf_handle, strip_tags($_post['password']))); tinyf_db_close(); // if(strcmp('n','n')) 0 , if(0) doesn't work :d if(strcmp($pass,$user->password !== 0)){         die('bad__user'); }   die('success'); ?> 

the result ===> bad__user

i expected result success

i think function strcmp isn't working

the syntax php's strcmp() follows:

strcmp ( string $str1 , string $str2 )
returns < 0 if str1 less str2; > 0 if str1 greater str2, , 0 if equal.

the parenthesis in code misplaced:

strcmp($pass,$user->password !== 0) 

rather comparing 2 values, comparing $pass boolean value indicates whether $user->password !== 0. given fact each of variables set string of "1", equivalent strcmp("1",false) returns int(1), causes if statement return true, , outputs die('bad__user').

in order compare 2 values, syntax be:

if ( strcmp($pass,$user->password) !== 0 ) {     die('bad__user'); } 

here's demonstration.

this being said, believe commenters above have advised consider more secure password hashing/validation techniques.