What Are PHP Superglobals and How to Use Them

PHP superglobals are built-in, globally accessible variables that allow developers to access environment, session, user input, and server data from anywhere within a script. This article explains what PHP superglobals are, explores the most common types—such as $_GET, $_POST, and $_SESSION—and demonstrates how to use them securely and effectively in your web applications.

What Are PHP Superglobals?

In PHP, variable scope typically restricts where a variable can be accessed. For example, a variable declared inside a function cannot normally be accessed outside of it. Superglobals bypass these scoping rules. They are predefined arrays that are always available in all scopes throughout your PHP script—whether inside functions, classes, or files—without requiring the global keyword.

The Most Common PHP Superglobals

PHP includes nine superglobal variables. Below are the most frequently used superglobals and how they function.

1. $_GET and $_POST

These superglobals are used to collect form data after an HTTP request.

// Example of accessing a GET parameter: www.example.com/?name=John
$name = $_GET['name'] ?? 'Guest';

// Example of accessing a POST parameter from a form
$email = $_POST['email'] ?? '';

2. $_SERVER

$_SERVER is an array containing information such as headers, paths, and script locations. It is populated by the web server.

echo $_SERVER['PHP_SELF'];     // Returns the filename of the currently executing script
echo $_SERVER['SERVER_NAME'];  // Returns the name of the host server
echo $_SERVER['HTTP_USER_AGENT']; // Returns the user agent string of the browser

3. $_SESSION

$_SESSION is used to store and access user data across multiple pages during a single session. Unlike cookies, session data is stored on the server.

// Start the session
session_start();

// Set session variables
$_SESSION['user_id'] = 42;

// Access session variables
echo "User ID is: " . $_SESSION['user_id'];

$_COOKIE retrieves data sent by the client’s browser via HTTP cookies. Cookies must be set using the setcookie() function before they can be read.

// Retrieve a cookie named "user"
$username = $_COOKIE['user'] ?? 'Anonymous';

5. $_FILES

This superglobal contains items uploaded to the script via the HTTP POST method. It provides details like the file name, type, size, temporary location, and any upload errors.

$fileName = $_FILES['uploaded_file']['name'];
$fileTemp = $_FILES['uploaded_file']['tmp_name'];

6. $GLOBALS

$GLOBALS is an associative array containing references to all variables currently defined in the global scope of the script. The keys of this array are the names of the global variables.

$x = 75;
$y = 25;

function addition() {
    $GLOBALS['z'] = $GLOBALS['x'] + $GLOBALS['y'];
}

addition();
echo $z; // Outputs 100

7. $_ENV and $_REQUEST

Security Best Practices with Superglobals

Because superglobals like $_GET, $_POST, and $_COOKIE rely on user-submitted data, they are primary targets for security vulnerabilities like Cross-Site Scripting (XSS) and SQL Injection.

Always sanitize and validate superglobal data before using it:

// Securely retrieving a GET variable
$username = filter_input(INPUT_GET, 'username', FILTER_SANITIZE_SPECIAL_CHARS);