PHP superglobals include $_GET, $_POST, $_REQUEST, $_SESSION, $_COOKIE, $_SERVER, $_FILES, $_ENV, and $GLOBALS, each serving distinct purposes beyond just handling form data; they enable state management, server interaction, and environment access. 1. $_REQUEST combines $_GET, $_POST, and $_COOKIE but poses security risks due to input source ambiguity, so it should be avoided unless necessary. 2. $_SESSION maintains user state across requests after calling session_start(), with security best practices including avoiding sensitive data storage and using session_regenerate_id() post-login to prevent fixation attacks. 3. $_COOKIE reads client-side cookies, while setcookie() sets them, requiring httponly, secure, and samesite flags for protection against XSS and MITM attacks. 4. $_SERVER provides request and environment metadata such as REQUEST_METHOD, REMOTE_ADDR, and HTTP_USER_AGENT, but values like HTTP_REFERER and HTTP_USER_AGENT should not be trusted as they are spoofable. 5. $_FILES handles file uploads by accessing temporary file data, requiring error checks, MIME type validation, and secure storage outside the web root to prevent execution risks. 6. $_ENV accesses environment variables if enabled in php.ini, though modern applications typically use .env files with dedicated loaders. 7. $GLOBALS exposes all global variables and is mainly useful for debugging or modifying global state within functions. Security best practices include validating and sanitizing all input from superglobals, using prepared statements for SQL queries, escaping output with htmlspecialchars() to prevent XSS, and never treating superglobal data as trusted, ensuring robust and secure PHP applications.

When most developers think of PHP superglobals, their minds jump straight to $_GET and $_POST — and for good reason. These are the workhorses of form handling and URL parameter processing in web applications. But PHP’s superglobals go far beyond just request data. Understanding the full set of superglobals gives you deeper insight into how PHP manages state, handles sessions, and interacts with the server environment. Let’s take a closer look at all the superglobals and how they can be used effectively and securely.

What Are Superglobals?

Superglobals are built-in PHP variables that are always accessible, regardless of scope. You can use them inside functions, classes, or anywhere in your script without needing to globalize them. They start with a $ and an underscore, like $_GET, and are predefined by PHP.

The full list of superglobals includes:

• $_GET
• $_POST
• $_REQUEST
• $_SESSION
• $_COOKIE
• $_SERVER
• $_FILES
• $_ENV
• $GLOBALS

We’ll go beyond the basics and explore the lesser-used ones and their practical applications.

$_REQUEST: Convenience with a Security Caveat

$_REQUEST is a merged array containing the contents of $_GET, $_POST, and $_COOKIE (in that order by default). This means if a key exists in more than one source, the later one overrides the earlier.

// If ?name=alice is in the URL and a form POSTs name=bob
echo $_REQUEST['name']; // outputs 'bob'

Why it’s risky: Because $_REQUEST pulls from multiple input sources, it can make your application less predictable and more vulnerable to injection attacks if not filtered carefully.

? Best Practice: Avoid $_REQUEST unless you specifically need input-agnostic handling. Prefer $_GET or $_POST to be explicit about where data is coming from.

$_SESSION: Managing State Across Requests

HTTP is stateless, but $_SESSION helps maintain user state across pages. It stores data on the server and associates it with a user via a session ID (usually stored in a cookie).

session_start();
$_SESSION['user_id'] = 123;
$_SESSION['logged_in'] = true;

Key points:

• Always call session_start() before accessing $_SESSION.
• Session data persists until the session is destroyed or expires.
• Never store sensitive data like passwords in sessions — only identifiers.

? Security Tip: Regenerate session IDs after login using session_regenerate_id() to prevent session fixation attacks.

$_COOKIE: Reading Client-Side Storage

Cookies are small pieces of data stored on the client. $_COOKIE lets you read them in PHP.

if (isset($_COOKIE['theme'])) {
    echo 'Preferred theme: ' . $_COOKIE['theme'];
}

To set a cookie, use setcookie() (not $_COOKIE — that’s read-only):

setcookie('theme', 'dark', time()   (86400 * 30)); // 30 days

? Security Note: Use the httponly and secure flags when setting cookies to reduce XSS and MITM risks:

setcookie('session_id', $token, [
    'expires' => time()   3600,
    'path' => '/',
    'secure' => true,
    'httponly' => true,
    'samesite' => 'Strict'
]);

$_SERVER: Metadata About the Request and Environment

This superglobal holds information about headers, paths, and server settings. It’s read-only and populated by the web server.

Common useful keys:

• $_SERVER['REQUEST_METHOD'] – GET, POST, etc.
• $_SERVER['HTTPS'] – check if connection is secure
• $_SERVER['REMOTE_ADDR'] – client IP address
• $_SERVER['HTTP_USER_AGENT'] – browser info
• $_SERVER['SCRIPT_NAME'] – current script path
• $_SERVER['HTTP_REFERER'] – previous page (note the misspelling)

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // Process form
}

?? Caution: Never trust $_SERVER values blindly. HTTP_USER_AGENT and HTTP_REFERER can be spoofed. Use them for logging or analytics, not authentication.

$_FILES: Handling File Uploads

When a form uses enctype="multipart/form-data", uploaded files are available in $_FILES.

A typical file upload array looks like:

$_FILES['avatar'] = [
    'name' => 'photo.jpg',
    'type' => 'image/jpeg',
    'tmp_name' => '/tmp/php/php58ut12',
    'size' => 98123,
    'error' => 0
];

To move the uploaded file:

if ($_FILES['avatar']['error'] === UPLOAD_ERR_OK) {
    $tmp_name = $_FILES['avatar']['tmp_name'];
    $upload_dir = 'uploads/';
    move_uploaded_file($tmp_name, $upload_dir . basename($_FILES['avatar']['name']));
}

? Best Practices:

• Always check $_FILES['field']['error'] first.
• Validate file type using mime_content_type() or fileinfo, not just the extension.
• Store uploads outside the web root or restrict direct access.

$_ENV and $GLOBALS: Environment and Global Scope

$_ENV

Contains environment variables passed to PHP. Often empty by default unless variables_order in php.ini includes 'E'.

echo $_ENV['DB_HOST'] ?? 'localhost';

Most modern apps use .env files with libraries like vlucas/phpdotenv instead of relying on $_ENV.

$GLOBALS

An associative array of all global variables in the script.

$a = 10;
echo $GLOBALS['a']; // 10

It’s rarely needed, but useful for debugging or manipulating global state from within functions.

Security Reminders When Using Superglobals

• Never trust input: Always validate and sanitize data from $_GET, $_POST, $_COOKIE, and $_SERVER.
• Use prepared statements: When inserting superglobal data into SQL queries.
• Escape output: Use htmlspecialchars() to prevent XSS.
• Filter file uploads: Check size, type, and never execute uploaded files.

Final Thoughts

While $_GET and $_POST are essential, mastering the full range of PHP superglobals unlocks better control over your application’s behavior, security, and user experience. From managing sessions with $_SESSION to parsing uploads via $_FILES, each superglobal serves a distinct purpose.

Understanding when and how to use them — and, just as importantly, how not to misuse them — is a hallmark of a mature PHP developer.

Basically, treat all superglobal data as untrusted, and you’ll be on the right track.

The above is the detailed content of A Deep Dive into PHP Superglobals: Beyond `$_GET` and `$_POST`. For more information, please follow other related articles on the PHP Chinese website!