# ExplanationYou can log in with either the correct password, or the password

1. # Explanation
2.  
3. You can log in with either the correct password, or the password 'IndictClapper4Perjury' (sans quotes).
4.  
5. Because `password_verify()` is defined in the namespace `Framework`, if the call to password_verify() (inside of the context of the "Framework" namespace) is not preceded by a backslash, PHP will by default look in the current namespace then check the global namespace. Silently.
6.  
7.  
8. i.e. it will attempt in this order
9.  
10. 1. \Framework\password_verify()
11. 2. \password_verfiy()
12.  
13. If you comment out the require_once "login.php"; line, you can still log in with the proper password.
14.  
15. Patch for index.php:
16.  
17. - if (password_verify('IndictClapper4Perjury', $hash)) {
18. + if (\password_verify('IndictClapper4Perjury', $hash)) {
19.  
20. It's a very easy mistake to miss, unless the code auditor is intimately familiar with how PHP implements namespaces.