CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Object Cloning & Security Implications

security PHP 5.0+ Intermediate
debt(d8/e5/b3/t7)
d8 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'silent in production' (d8), PHPStan won't reliably detect shallow-clone aliasing of nested objects; bugs surface only when shared state mutates unexpectedly, slightly better than d9 because code review can spot missing __clone().

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor' (e5), implementing __clone() properly requires understanding the full object graph and may cascade to nested classes that also need __clone() methods.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3), the cloning contract is per-class but applies across web/cli/queue contexts where the object is used; doesn't reshape the whole system.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7), the misconception states clone looks like a deep copy but is shallow — contradicts intuition from languages/contexts where 'copy' means independent, and silently shares references to nested objects including sensitive state.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

TL;DR

clone creates a shallow copy — nested objects are still shared references. Implement __clone() for deep copy and audit what sensitive state gets duplicated.

Explanation

PHP's clone keyword creates a shallow copy — scalar properties are copied but object properties remain references to the same objects. This causes security issues: cloning an authenticated session object shares the same internal state, cloning a PDO connection shares the resource, unserialised clones may bypass constructor validation. __clone() is called after cloning — use it to deep-clone nested objects and reset sensitive state (auth tokens, connection handles). Readonly properties cannot be modified in __clone() before PHP 8.3. Security: cloning PDO/resource objects is undefined behaviour.

Common Misconception

clone creates a fully independent deep copy — it's a shallow copy. Nested objects remain references to the same instances.

Why It Matters

Shallow cloning of objects containing auth state, database connections, or cryptographic keys can lead to unintended state sharing between clones.

Common Mistakes

  • Cloning objects with nested objects and assuming full independence.
  • Not implementing __clone() to deep-copy nested value objects.
  • Cloning PDO or resource objects — undefined/broken behaviour.

Code Examples

✗ Vulnerable 
class User {
    public Address $address; // Object reference
    public string $authToken;
}
$copy = clone $user;
$copy->address->city = 'Warsaw'; // Also changes $user->address->city!
✓ Fixed 
class User {
    public Address $address;
    public string $authToken;

    public function __clone() {
        $this->address = clone $this->address; // Deep copy
        $this->authToken = bin2hex(random_bytes(32)); // New token
    }
}
Added 22 Mar 2026
Views 23

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Google 3 Perplexity 3 ChatGPT 1 Unknown AI 1 Ahrefs 1
Also referenced
Insecure Deserialization 36 Readonly Properties (PHP 8.1) 32 Value Object 29 Circular References & Memory Implications 21
How they use it
crawler 18 pre-tracking 1
Related categories
php 7.2k security 4.5k quality 3k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Medium
⚡ Quick Fix
Implement __clone() to deep-copy all nested objects. Reset sensitive state (tokens, IDs) in __clone(). Never clone PDO or resource objects.
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
clone \$
Auto-detectable: ✗ No phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: Class Tests: Update
CWE-374 CWE-672
✓ schema.org compliant