What does =& mean?

[bebop]

Hello everybody,

 

I'm fairly new to PHP. I was wondering if you could help me with the meaning of

=&

since trying to search for such things tends to turn up nothing.

 

I found it in a very small php class I downloaded (hoping to learn something) and at the bottom there is

$sanitizedData =& new sanitize();

("sanitize" being the name of the class or am I stating the obvious here?)

 

Thanks in advance,

Sam

[Mchl]

http://php.net/manual/en/language.references.pass.php

 

I might add, that the usage you posted above is deprecated in PHP5.3. It should simply be

$sanitizedData = new sanitize();

[gizmola]

Yeah, in php4 when you would create an object with new and assign it to a variable, the assignment itself would make a copy of the object. In many cases that didn't tend to matter much, but if the constructor was doing a lot of heavy duty stuff, or was creating resources, you would use the =& to get around the quirk.

 

In php5 all objects are passed by reference, so you no longer have to worry about this issue.  There are of course still lots of php4 libraries out there, and you are apparently using one of them.  If there's a way you can find a newer one, I'd recommend it.

[bebop]

In php5 all objects are passed by reference, so you no longer have to worry about this issue.  There are of course still lots of php4 libraries out there, and you are apparently using one of them.  If there's a way you can find a newer one, I'd recommend it.

 

First of all thank you for your prompt replies! I really appreciate your help and will read more upon this matter through the link posted above. Here is the class I downloaded. I'm a total newbie but from the little I can tell, there isn't much to it that can be referred to as "old" or "new" apart from what you mentioned just now right? (I don't mean to contradict, just asking so I learn)

 

Thank you once more!

 

<?php

/**
* @class Sanitize
* @author Nirmit Bothra
* @copyright 2007
* @description This class sanitizes all user input which are accessed by PHP using POST, GET or REQUEST variables. Data sanitation helps in making 
*				safe transactions with a database. 
*/

class sanitize {
function sanitize() {
	// class constructor and 
	$this->sanitizeCookie();
	$this->sanitizeGet();
	$this->sanitizeRequest();
	$this->sanitizePost();
}

function sanitizePost() {
	foreach($_POST as $key=>$value) {
		$_POST[$key] = addslashes($value);
	}
}
function sanitizeGet() {
	foreach($_GET as $key=>$value) {
		$_GET[$key] = addslashes($value);
	}
}
function sanitizeRequest() {
	foreach($_REQUEST as $key=>$value) {
		$_REQUEST[$key] = addslashes($value);
	}
}
function sanitizeCookie() {
	foreach($_COOKIE as $key=>$value) {
		$_COOKIE[$key] = addslashes($value);
	}
}
}

$sanitizedData =& new sanitize();
?>

[Mchl]

Just drop this class altogether. There are much better ways to do sanitising in PHP 5.x.

 

 

[bebop]

Just drop this class altogether. There are much better ways to do sanitising in PHP 5.x.

 

Hi Mchl, if you have a couple of minutes and it's not too much bother, could you please give me a couple of links/pointers to some tutorial/s? Thanks!

[gizmola]

First off, you have to define what you mean by sanitation.  The class you were looking at did almost nothing, other than to escape values assumably for insertion into a database.  If that's what you want, there are functions for at least some of the databases that are specific to them.  In the case of mysql, there' mysql_real_escape_string() which is what you should use for escaping.

 

 

[Mchl]

It actually depends on what you're sanitising your variables for. For example for use with mysql, a code would look like this

 

$variable = $_POST['variable'];
if(get_magic_quotes_gps()) {
  $variable = stripslashes($variable);
}
$variable = mysql_real_escape_string($variable);

 

This is for one variable only. It can be extended to sanitise entire contents og _GET, _POST and _COOKIE, but personally I think each variable should be sanitised separately.

There are also further concerns to be taken care of, like checking if variable content matches specific patter (i.e. does 'email' field looks like a valid email address).

[bebop]

It actually depends on what you're sanitising your variables for. For example for use with mysql, a code would look like this

 

$variable = $_POST['variable'];
if(get_magic_quotes_gps()) {
  $variable = stripslashes($variable);
}
$variable = mysql_real_escape_string($variable);

 

This is for one variable only. It can be extended to sanitise entire contents og _GET, _POST and _COOKIE, but personally I think each variable should be sanitised separately.

There are also further concerns to be taken care of, like checking if variable content matches specific patter (i.e. does 'email' field looks like a valid email address).

 

 

Ok I'm hoping I won't take too much of your time since I already did. My apologies.

 

I was looking for something that I can "bounce off" (return?) user-input from - as in, user inputs data, data is "filtered" through this class and returned sanitized and off to the database. Sorry my terminology is just as bad so I hope I'm not confusing you further.

 

So 1) I don't know if it's even a clever idea to 'generalize' such function putting in one class/file 2) is it at all possible to do so?

 

There's so much to learn and I never give up it's just that it gets mind-boggling the sheer amount of functions etc there are to learn! Thanks again for your kind patience!

[Mchl]

Perhaps you should read this first:

http://www.phpfreaks.com/tutorial/php-security

[bebop]

Perhaps you should read this first:

http://www.phpfreaks.com/tutorial/php-security

 

Oh dear!  Had a quick look at the topics covered and it's exactly what I was looking for! Thank you! My being eternally grateful to you for this link won't bring warm food on your table but I certainly am! Thanks!! I'm off to read it and learn something new!

 

Cheers,

Sam