Why is hashed password not matching from value in database?

Question

I have a registration form whose snippet is as follows-

$email=$_GET['email'];
$pass=$_GET['pass'];
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
        $password = hash('sha256', $pass.$salt);
        for($round = 0; $round < 65536; $round++) 
        { 
            $password = hash('sha256', $password.$salt);
        }
        mysql_query("INSERT INTO user_tbl(email, password, salt) VALUES ('$email','$password','$salt')");

For a specific password following string is getting stored in db-

df22e53c7fb2d599d64597a04fd28ca47bc79675ac50a2381c9a17fd4e07b263

Now i also have a login form. Whose code snippet is as follows-

$email=$_GET['email'];
$pass=$_GET['password'];
$result=mysql_query("SELECT * from user_tbl where email='$email'");
$row=mysql_fetch_array($result);
$salt = $row['salt'];
$password = hash('sha256', $pass.$salt);
for($round = 0; $round < 65536; $round++) 
   { 
       $password = hash('sha256', $password.$salt);
   }
if(strcmp($row['password'],$password)!=0)
{
    echo "wrongpassword";
    exit();
}
else
{
    echo "Success";
}

Now i could see that the hashed password which the login form is evaluating to is also df22e53c7fb2d599d64597a04fd28ca47bc79675ac50a2381c9a17fd4e07b263 . Which is same as what registration form is submitting to database. They should match. But they are not. The String compare test is always failing. The length of both fields ie password and salt are 200 each and are of type VARCHAR which is sufficient i think because above algo will generate a 64 character long string only. Still What is the problem? Please help me out here.

Answer 1

You just need a simple correction in your IF condition:

if(strcmp($row['password'],$password)!==0) // change here :)
{
    echo "wrongpassword";
    exit();
}
else
{
    echo "Success";
}

Please see the documentation: http://php.net/manual/en/function.strcmp.php