What Are PHP Superglobals and How to Use Them
PHP superglobals are built-in, globally accessible variables that
allow developers to access environment, session, user input, and server
data from anywhere within a script. This article explains what PHP
superglobals are, explores the most common types—such as
$_GET, $_POST, and $_SESSION—and
demonstrates how to use them securely and effectively in your web
applications.
What Are PHP Superglobals?
In PHP, variable scope typically restricts where a variable can be
accessed. For example, a variable declared inside a function cannot
normally be accessed outside of it. Superglobals bypass these scoping
rules. They are predefined arrays that are always available in all
scopes throughout your PHP script—whether inside functions, classes, or
files—without requiring the global keyword.
The Most Common PHP Superglobals
PHP includes nine superglobal variables. Below are the most frequently used superglobals and how they function.
1. $_GET and
$_POST
These superglobals are used to collect form data after an HTTP request.
$_GETcollects data sent in the URL query string.$_POSTcollects data sent via an HTTP POST request, which is more secure as parameters are not visible in the URL.
// Example of accessing a GET parameter: www.example.com/?name=John
$name = $_GET['name'] ?? 'Guest';
// Example of accessing a POST parameter from a form
$email = $_POST['email'] ?? '';2. $_SERVER
$_SERVER is an array containing information such as
headers, paths, and script locations. It is populated by the web
server.
echo $_SERVER['PHP_SELF']; // Returns the filename of the currently executing script
echo $_SERVER['SERVER_NAME']; // Returns the name of the host server
echo $_SERVER['HTTP_USER_AGENT']; // Returns the user agent string of the browser3. $_SESSION
$_SESSION is used to store and access user data across
multiple pages during a single session. Unlike cookies, session data is
stored on the server.
// Start the session
session_start();
// Set session variables
$_SESSION['user_id'] = 42;
// Access session variables
echo "User ID is: " . $_SESSION['user_id'];4. $_COOKIE
$_COOKIE retrieves data sent by the client’s browser via
HTTP cookies. Cookies must be set using the setcookie()
function before they can be read.
// Retrieve a cookie named "user"
$username = $_COOKIE['user'] ?? 'Anonymous';5. $_FILES
This superglobal contains items uploaded to the script via the HTTP POST method. It provides details like the file name, type, size, temporary location, and any upload errors.
$fileName = $_FILES['uploaded_file']['name'];
$fileTemp = $_FILES['uploaded_file']['tmp_name'];6. $GLOBALS
$GLOBALS is an associative array containing references
to all variables currently defined in the global scope of the script.
The keys of this array are the names of the global variables.
$x = 75;
$y = 25;
function addition() {
$GLOBALS['z'] = $GLOBALS['x'] + $GLOBALS['y'];
}
addition();
echo $z; // Outputs 1007. $_ENV and
$_REQUEST
$_ENV: Contains environment variables passed to the PHP script from the environment in which the parser is running.$_REQUEST: A combined array that contains the contents of$_GET,$_POST, and$_COOKIEby default.
Security Best Practices with Superglobals
Because superglobals like $_GET, $_POST,
and $_COOKIE rely on user-submitted data, they are primary
targets for security vulnerabilities like Cross-Site Scripting (XSS) and
SQL Injection.
Always sanitize and validate superglobal data before using it:
- Validation: Ensure the data meets your expected format (e.g., checking if an email is valid).
- Sanitization: Clean the data of harmful characters
using functions like
filter_input()orhtmlspecialchars().
// Securely retrieving a GET variable
$username = filter_input(INPUT_GET, 'username', FILTER_SANITIZE_SPECIAL_CHARS);