...
The == operator first converts its arguments into numbers by extracting digits from the front of each argument (along with a preceding + or -). Nonnumeric data in an argument is ignored, and the number consists of whatever digits were extractextracted. A string such as "goodpass" has no leading digits and is thus converted to the numeral 0. Consequently, unless either $password or $correct contains leading digits, they will both be converted to 0 and will be considered equivalent.
...