Description:
------------
Sometimes when adding a session ID to a URL, it is not added after existing parameters, but rather iafter the closing quote for the URL.  For example, an anchor tag of '<a href="xyzzy.php?arg=y">' would be rewritten as '<a href="xyzzy.php?arg=y"?PHPSESSID=123...>' instead of '<a href="xyzzy.php?arg=y&PHPSESSID=123...">'.

This appears to be similar to the issue reported in bug #3411.  It appears to be buffer related, since adding or subtracting a few characters from earlier in the page can introduce or eliminate the error.  As mentioned in #3411, turning on output buffering eliminates the problem.

This seemed to work correctly through 5.2.5, but has not worked since 5.2.6.


Reproduce code:
---------------
Since it appears to be dependent on the number of bytes in the buffer, it can't be reproduced in 20 lines.  Here is a link to a page that generated the examples:

http://www.rubgrp.com/~bill/sample.php


Expected result:
----------------
<a href="custmain.php?srch=000006&PHPSESSID=ho7ev8p2bmc16rotaih4duat82">000006</a>
...snip...
<a href="custmain.php?srch=000007&PHPSESSID=ho7ev8p2bmc16rotaih4duat82>000007</a>
..snip...
<a href="custmain.php?srch=000008&PHPSESSID=ho7ev8p2bmc16rotaih4duat82">000008</a></td>

Actual result:
--------------
<a href="custmain.php?srch=000006&PHPSESSID=ho7ev8p2bmc16rotaih4duat82">000006</a>
...snip...
<a href="custmain.php?srch=000007"?PHPSESSID=ho7ev8p2bmc16rotaih4duat82>000007</a>
..snip...
<a href="custmain.php?srch=000008&PHPSESSID=ho7ev8p2bmc16rotaih4duat82">000008</a></td>

(The first and third are correct; in the second line the session ID is added after the closing quote on the href value.)