$_SERVER['SCRIPT_NAME'] provides the script path relative to the document root; 2. $_SERVER['PHP_SELF'] includes the script path but may be manipulated, making it less secure; 3. $_SERVER['REQUEST_URI'] gives the full URI with query string for redirects or logging; 4. $_SERVER['SCRIPT_FILENAME'] returns the absolute server path of the script for file inclusion or debugging; 5. $_SERVER['DOCUMENT_ROOT'] holds the web server’s root directory for reliable path building; 6. $_SERVER['REMOTE_ADDR'] contains the client’s IP, though proxies may require $_SERVER['HTTP_X_FORWARDED_FOR'] with caution; 7. $_SERVER['REMOTE_PORT'] shows the client’s connection port; 8. $_SERVER['SERVER_ADDR'] is the server’s IP, useful in clustered setups; 9. $_SERVER['SERVER_NAME'] is the hostname from virtual host configuration; 10. $_SERVER['HTTP_HOST'] reflects the Host header, ideal for URL construction; 11. $_SERVER['REQUEST_METHOD'] indicates the HTTP method for routing or form handling; 12. $_SERVER['QUERY_STRING'] holds the raw query string for URL rebuilding; 13. $_SERVER['HTTP_USER_AGENT'] identifies the client browser for analytics; 14. $_SERVER['HTTP_REFERER'] shows the referring page, though it may be missing; 15. $_SERVER['HTTPS'] is set on secure connections, requiring careful checking; 16. $_SERVER['SERVER_PORT'] gives the server port for accurate URL generation; 17. Proxy headers like $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['HTTP_X_FORWARDED_PROTO'] provide client and protocol info behind load balancers but must be validated; always check key existence, sanitize inputs, avoid untrusted headers, and use REQUEST_URI with SCRIPT_NAME for secure routing, as $_SERVER is powerful but requires cautious handling to prevent bugs and security issues.

The $_SERVER superglobal in PHP is one of the most useful tools for developers working with web applications. It contains information about the server and execution environment, request headers, paths, and script locations. Knowing which keys are available—and when to use them—can save time and prevent bugs in routing, security checks, and debugging.

Here’s a practical cheatsheet to the most commonly used $_SERVER variables, what they mean, and how to use them wisely.

1. Request and Script Location Info

These variables help determine where your script is running and how it was accessed.

• $_SERVER['SCRIPT_NAME']
  The path of the current script, relative to the document root.
  Example: /blog/index.php

• $_SERVER['PHP_SELF']
  Similar to SCRIPT_NAME, but includes the path and any extra path info (which can be manipulated). Less secure if used in forms or URLs without sanitization.

  

• $_SERVER['REQUEST_URI']
  The full URI used to access the page, including query string.
  Example: /blog/post/123?ref=home
  Useful for building dynamic redirects or logging incoming requests.

• $_SERVER['SCRIPT_FILENAME']
  The absolute server path to the current script.
  Example: /var/www/html/blog/index.php
  Helpful when including files or debugging file locations.

• $_SERVER['DOCUMENT_ROOT']
  The root directory of your web server (e.g., /var/www/html).
  Use this to build reliable file paths without hardcoding.

2. Client and Connection Details

Get information about the user's request and connection.

• $_SERVER['REMOTE_ADDR']
  The IP address of the client making the request.
  Important for logging, rate limiting, or geolocation.
  ?? Caution: Behind proxies or load balancers, this may show the proxy IP. Use HTTP_X_FORWARDED_FOR carefully instead (see below).

• $_SERVER['REMOTE_PORT']
  The port used by the client to connect to the server.

• $_SERVER['SERVER_ADDR']
  The IP address of the server (if running under Apache/FPM). Useful in multi-homed or cluster environments.

• $_SERVER['SERVER_NAME']
  The server’s hostname (e.g., example.com). Defined in the virtual host config.
  Often used to build absolute URLs.

• $_SERVER['HTTP_HOST']
  The Host header sent by the browser. May include port (e.g., example.com:8080).
  More accurate than SERVER_NAME for constructing URLs, especially in virtual hosting.

3. HTTP Request and Method Info

Understand how the request was made.

• $_SERVER['REQUEST_METHOD']
  The HTTP method used: GET, POST, PUT, DELETE, etc.
  Essential for RESTful routing or form handling.

• $_SERVER['QUERY_STRING']
  The raw query string (e.g., user=123&tab=profile).
  Useful when rebuilding URLs or parsing custom parameters.

• $_SERVER['HTTP_USER_AGENT']
  The browser or client software used.
  Example: Mozilla/5.0 (X11; Linux x86_64) ...
  Can be used for feature detection or analytics (but avoid browser sniffing when possible).

• $_SERVER['HTTP_REFERER'] (yes, misspelled)
  The page that referred the user.
  Use for tracking traffic sources or preventing hotlinking.
  ?? Not always set—users or privacy tools may suppress it.

4. HTTPS and Security Context

Determine if the connection is secure.

• $_SERVER['HTTPS']
  Present and non-empty if the request is over HTTPS.
  Note: Not always set to 'on'—depends on server setup.
  Example check:

  $isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';

• $_SERVER['SERVER_PORT']
  The port the server is listening on.
  80 for HTTP, 443 for HTTPS—but can vary. Use with HTTP_HOST to build correct URLs.

5. Proxy and Load Balancer Headers (Use with Caution)

When behind reverse proxies (e.g., Nginx, Cloudflare), the real client info may be in custom headers.

• $_SERVER['HTTP_X_FORWARDED_FOR']
  Contains the original client IP when routed through a proxy.
  ?? Can be spoofed—never trust it blindly. Only use if you control the proxy.

• $_SERVER['HTTP_X_FORWARDED_PROTO']
  Indicates the original protocol (http or https).
  Useful when your app is behind a TLS-terminating proxy.

  Example:

  if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
      $_SERVER['HTTPS'] = 'on';
  }

Final Tips

• Always check if a key exists before using it:

  $ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';

• Never trust $_SERVER values from the client side—especially HTTP_* headers. Validate and sanitize.

• Avoid relying on PHP_SELF in form actions due to potential XSS if not escaped.

• Use REQUEST_URI and SCRIPT_NAME together for clean routing in MVC apps.

Basically, $_SERVER is powerful but needs careful handling. Know the common keys, understand your server setup, and never assume the environment. That’s the real pro move.

The above is the detailed content of The Ultimate Developer's Cheatsheet to the $_SERVER Superglobal Array. For more information, please follow other related articles on the PHP Chinese website!