Superglobal variables

01. 11. 2019

Obsah článku

Superglobal variables are used to pass global application state and HTTP communication.

The main advantage of these variables is that they are always and everywhere available. In practice, they are arrays of values where we access specific information by index. In different contexts, the availability of keys may vary (explained below).

Types of superglobal variables

All superglobals in PHP are arrays and are denoted by a dollar sign followed by an underscore (except $GLOBALS) and uppercase characters.

In PHP 7 there are in particular the following:

Variable	Description
`$_GET`	URL parameters sent by the GET method
`$_POST`	Form data sent by POST. Note that may behave differently in ajax.
`$_REQUEST`	Form data sent by any method (`$_GET`, `$_POST` and `$_REQUEST`).
`$_FILES`	Technical information about the currently uploaded files, for example via the `<input type="file">` construct
`$_SERVER`	Web server settings, IP address, configuration... it varies depending on the environment (when calling a PHP script from Terminal it will contain different values and for example information about the current request will be missing).
`$_COOKIE`	Configured cookies.
`$_SESSION`	Session data (session), if it exists and has been set in the past.
`$GLOBALS`	Warning, it does not contain an underscore in the name! This is the so-called global-variable and an alternative notation for the keyword `global`. If you have a global variable `$variable` in your application, you can also access it with the `$GLOBALS["variable"]` construct. However, using global variables is a bad and impure solution by design, so you'd better not do it.
`$_ENV`	Information about the current environment where PHP is running.

Listing all existing values is easy to do:

foreach ($_SERVER as $key => $value {
	echo $key . ': ' . $value . '<br>';
}

Note: Not all indexes must always exist (for example, if the script runs cron in CLI mode, the index with the page URL or the IP address of the request will not exist).

Access to variables

I recommend that all global variables (except $_SESSION) are read-only. This is because they contain global application data and other code may take this into account (for example, another installed library).

Another disadvantage of global state is that you can't always rely on exact values, even if they exist, so you should always check their keys with the isset() construct.

To save a new cookie, use setcookie() and do not insert the value directly. This is because it is read-only.

Lessons learned

Never blindly trust the values of superglobal variables!

The user can use the URL and the headers sent to influence how the values are set. All input should always be carefully validated.

Register globals - the trouble with the old version of PHP

In the old version of PHP (up to 5.4.0), there was a special register-globals directive (configurable in php.ini) that caused all passed parameters in a URL to be automatically registered as variables.

For example:

A user arrived at the URL: https://example.com/script.php?var=24

And PHP automatically created a variable $var with the value 24 within the script.

So it worked classically:

<?php

echo $var;

So anyone could slip any variable into the script and change its contents. Obviously, security was not always a priority. Notquite.

Other sources

For a more detailed description, see the official manual.

Jan Barášek Více o autorovi

Autor článku pracuje jako seniorní vývojář a software architekt v Praze. Navrhuje a spravuje velké webové aplikace, které znáte a používáte. Od roku 2009 nabral bohaté zkušenosti, které tímto webem předává dál.

Rád vám pomůžu: