3.8 SuperglobalsNOTE: This is NOT the latest copy of this book; click here for the latest version.
All variables that come into PHP arrive inside one of several special arrays known collectively as the superglobals. They're called superglobal because they are available everywhere your script, even inside objects and arrays. These arrays were not available in PHP before v4.1, so many older scripts use alternatives. The new versions are superior, though, so it is strongly recommended that all new scripts use the superglobals. Superglobals can be used like any other arrays in PHP, which means you can iterate through them, etc.
There are nine superglobals available for use, categorised by type of variable. These are:
|
Name
|
Functionality
|
|
$GLOBALS
|
Contains all global variables in your script, including other superglobals. This is not generally recommended for use, unless you are, for some reason, not sure where a variable will be stored. $GLOBALS has been available since PHP 3, and its operation has not changed.
|
|
$_GET
|
Contains all variables sent via a HTTP GET request. That is, sent by way of the URL. Users of older PHP versions will recognise this as being the same as $HTTP_GET_VARS array, which, although deprecated, is still available for use.
|
|
$_POST
|
Contains all variables sent via a HTTP POST request. This is similar to the old $HTTP_POST_VARS array, which, although deprecated, is still available for use.
|
|
$_FILES
|
Contains all variables sent via a HTTP POST file upload. This is similar to the old $HTTP_POST_FILES array, which, although deprecated, is still available for use.
|
|
$_COOKIE
|
Contains all variables sent via HTTP cookies. This is similar to the old $HTTP_COOKIE_VARS array, which, although deprecated, is still available for use.
|
|
$_REQUEST
|
Contains all variables sent via HTTP GET, HTTP POST, and HTTP cookies. This is basically the equivalent of combining $_GET, $_POST, and $_COOKIE, and is less dangerous than using $GLOBALS. However, as it does contain all variables from untrusted sources (that is, your visitors), you should still try to steer clear unless you have very good reason to use it. There's no equivalent to $_REQUEST in versions of PHP before v4.1.
|
|
$_SESSION
|
Contains all variables stored in a user's session. This is similar to the old $HTTP_SESSION_VARS array, which, although deprecated, is still available for use.
|
|
$_SERVER
|
Contains all variables set by the web server you are using, or other sources that directly relate to the execution of your script. This is similar to the old $HTTP_SERVER_VARS array, which, although deprecated, is still available for use.
|
|
$_ENV
|
Contains all environment variables set by your system or shell for the script. This is similar to the old $HTTP_ENV_VARS array, which, although deprecated, is still available for use.
|
Many programmers still use the old syntax for these variables ($HTTP_SERVER_VARS, etc), so you may wonder why the older versions are deprecated in favour of the new superglobals. There are two key differences between the old versions and the new versions:
-
The new versions are much shorter to type. I do not know about you, but I'd much rather type $_GET than $HTTP_GET_VARS each time I want to access a variable!
-
The new versions are automatically global everywhere in your script, even inside functions. The older variables, like $HTTP_SESSION_VARS, were not available inside functions unless you specifically requested for them to be available.
There are two superglobal arrays that I would discourage use of as much as possible, and these are $GLOBALS and $_REQUEST. Both of these two arrays are combinations of the other arrays, and therefore mingle together untrusted user data. When you use $_COOKIE['somevar'], you know that the value has come from a cookie on the user's machine, and not from someone editing the URL to your site. When using $_REQUEST['somevar'], however, you no longer have that guarantee, and you are left trusting the user to some extent.
If you have existing scripts that do not use the superglobals, and you are unwilling to convert your code to use the superglobals, you have two other options:
-
Enable register_globals in your php.ini file. This will revert PHP back to its insecure, pre-v4.1 functionality - the superglobals will still be there, but all input is automatically made into variables.
-
Use the function import_request_variables() to extract a given superglobal into normal variables.
One important thing to note is that $GLOBALS contains itself too, which means that if you try to cycle through each variable in $GLOBALS in some older versions of PHP you will enter into a recursive loop!
|
