I have discovered what appears to be a bug that is reproducable in our companie's production environment.  We have a user defined function that checks authentication against a database of email addresses and passwords.  If the authentication is successfull, the function will return the user ID number.  (eg a table with ID,email,password).

This function is called teacher_login, and accepts an email address along with an md5-hash of the password.  The purpose of the function is to lookup that email address, verify the password and return the uniquie ID for that user.

the line $uid = teacher_login($email,md4($password)); assigns the userid to the $uid variable.  if the next line is a simple operation, then the script runs as normal.  However, if a library(native) function is called, the $uid varable changes its value (note, that $uid is not referenced in the function call).  If a user-defined function is called, then the script runs as normal.

here is the teacher_login function.

function teacher_login($sEmail,$sMD5Pass) {
  $db = db_connect();
  if (!$db) fError("S001",$PHP_SELF,"");
  $sql = "SELECT id,password FROM teacher WHERE email='$sEmail'";
  $query = mssql_query($sql,$db);
  if (!$query) fError("S002",$PHP_SELF,"");
  $row = mssql_fetch_array($query);
  if (!$row[password]) fError("U001",$PHP_SELF,"");
  if (md5($row[password]) != $sMD5Pass) fError("U002",$PHP_SELF,"");
  echo "teacher_login:\$row[id] = " . $row[id] . "<br>\n";
  return $row[id];
}


and here is a snipet of code that causes the error:
  $uid = teacher_login($email,md5($password));
  $session_data[0] = $email;
  echo urlencode("goober");        //library function
  echo "\$uid = $uid";

where it is using urlencode, I had originaly used md5 as I was hashing a password.  I have tryed several random library functions, and I still get the incorrect UID.

If I move the echo "\$uid... line before the library function, then the correct UID is returned.