We came accross a bug in a bot filtering page the other day. The page called a routine which used a regular expression to check for validly formatted input. The function was called from several places and worked fine. In just one branch it appeared to fail to validate the input, and continued execution of the page instead of redirecting to the target page.
The reason? Someone left out the exit; after the Header Location call, which allows the execution to continue down the page. Moral: Make sure you call exit after a PHP Header call to Location if you want execution to branch immediately!
if (InvalidInput($Stuff))
{
header("Location: http://www.example.com/"); /* Redirect browser */
exit; /* Make sure that code below does not get executed when we redirect. */
}
/* Execute on valid input */
?>
