CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

PHP 4 Objects Passed by Value (Pre-5 Gotcha)

php PHP 4.0+ Intermediate
debt(d5/e3/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The term's detection_hints list Rector and PHPCS — both are specialist static analysis / code-mod tools rather than the default compiler or standard linter. The code_pattern `=&\s*\$` gives these tools something concrete to flag, but you wouldn't catch it without running them explicitly.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is 'Remove =& for objects in PHP 5+ code; use clone explicitly when a true copy is needed.' This is a small, targeted change — swap or remove the reference operator across affected call sites — but may touch several places in a legacy file, making it slightly more than a single one-liner (e1) yet still well within one component.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The applies_to scope is PHP 4.0–4.4 / web context only, and the concern is historical — legacy codebases carrying old PHP 4 object-passing patterns. Once corrected (or once the codebase is PHP 5+), the ongoing maintenance cost is minimal. It doesn't shape every future change, so it stays at b3 rather than climbing higher.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap — contradicts how a similar concept works elsewhere' (t7). The misconception field states explicitly: 'PHP always copied objects — PHP 5 changed this.' A competent modern PHP developer assumes objects are passed by handle (reference-like), so reading PHP 4 code that relies on copy-by-value semantics, or vice versa reading PHP 5 code expecting PHP 4 behaviour, produces exactly the wrong mental model. This directly contradicts modern PHP's behaviour, landing it at t7.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

TL;DR

PHP 4 copied objects on assignment — $b = $a created a full clone. PHP 5+ passes object handles by value (reference semantics). This was the biggest PHP 4 pain point.

Explanation

In PHP 4, $b = $a where $a is an object creates a complete copy. Methods called on $b don't affect $a. In PHP 5+, objects use handle semantics — assignment copies the handle (reference to the object), so $b = $a makes both point to the same object. To get PHP 4 behaviour in PHP 5+, use clone. In PHP 4, developers used =& to pass objects by true reference. Legacy code using =& for objects is a PHP 4 pattern — remove in PHP 5+. The PHP 5 change was so significant it's the primary reason PHP 4 code is incompatible.

Common Misconception

PHP always copied objects — PHP 5 changed this. Now assignment copies the object handle, not the object itself.

Why It Matters

PHP 4 passed objects by value, meaning modifying an object inside a function had no effect on the caller's copy — the opposite of every modern PHP developer's expectation. Code written before PHP 5 that relies on clone semantics behaves completely differently in PHP 5+. Understanding this prevents misreading legacy code and explains why old tutorials explicitly clone before passing objects, a practice that looks redundant in modern PHP.

Common Mistakes

  • Using =& for objects in PHP 5+ — unnecessary, creates a reference alias to the handle.
  • Not using clone when a true copy is needed in PHP 5+.
  • Assuming old PHP 4 code behaves the same in PHP 5 — it often doesn't due to object semantics.

Code Examples

✗ Vulnerable 
// PHP 4 pattern — unnecessary in PHP 5+:
$obj2 =& $obj1; // Reference to avoid copy

// PHP 4 actual copy issue:
$obj2 = $obj1;
$obj2->value = 'changed'; // Did NOT change $obj1 in PHP 4
✓ Fixed 
// PHP 5+ — same object:
$obj2 = $obj1;
$obj2->value = 'changed'; // Changes $obj1 too!

// True copy in PHP 5+:
$obj2 = clone $obj1;
$obj2->value = 'changed'; // $obj1 unchanged
Added 23 Mar 2026
Views 26

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings F 1 ping S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F
Agents 0
No pings yet today
No pings yesterday
Amazonbot 7 Perplexity 5 Google 4 Unknown AI 3 ChatGPT 1 Meta AI 1 Ahrefs 1
Also referenced
PHP 5 OOP Revolution — Objects by Reference 35 PHP 4 — Zend Engine 1, Classes Without OOP 28 Object Cloning & Security Implications 20
How they use it
crawler 20 pre-tracking 2
Related categories
php 7.2k security 4.5k
DEV INTEL Tools & Severity
🔵 Info ⚙ Fix effort: Low
⚡ Quick Fix
Remove =& for objects in PHP 5+ code. Use clone explicitly when a true object copy is needed.
📦 Applies To
PHP 4.0+ web
🔗 Prerequisites
🔍 Detection Hints
=&\s*\$
Auto-detectable: ✓ Yes rector phpcs
🤖 AI Agent
Confidence: Medium False Positives: Medium ✓ Auto-fixable Fix: Low Context: Line
✓ schema.org compliant