Hudzilla.org - the homepage of Paul Hudson
Contents > Simple variables and operators Wish List | Report Bug | About Me ]

3.8     Superglobals

This is NOT the latest copy of this book; click here for the latest version.

All variables that come into PHP arrive inside one of several special arrays known collectively as the superglobals. They're called superglobal because they are available everywhere your script, even inside objects and arrays. These arrays were not available in PHP before v4.1, so many older scripts use alternatives. The new versions are superior, though, so it is strongly recommended that all new scripts use the superglobals. Superglobals can be used like any other arrays in PHP, which means you can iterate through them, etc.

There are nine superglobals available for use, categorised by type of variable. These are:

Name

Functionality

$GLOBALS

Contains all global variables in your script, including other superglobals. This is not generally recommended for use, unless you are, for some reason, not sure where a variable will be stored. $GLOBALS has been available since PHP 3, and its operation has not changed.

$_GET

Contains all variables sent via a HTTP GET request. That is, sent by way of the URL. Users of older PHP versions will recognise this as being the same as $HTTP_GET_VARS array, which, although deprecated, is still available for use.

$_POST

Contains all variables sent via a HTTP POST request. This is similar to the old $HTTP_POST_VARS array, which, although deprecated, is still available for use.

$_FILES

Contains all variables sent via a HTTP POST file upload. This is similar to the old $HTTP_POST_FILES array, which, although deprecated, is still available for use.

$_COOKIE

Contains all variables sent via HTTP cookies. This is similar to the old $HTTP_COOKIE_VARS array, which, although deprecated, is still available for use.

$_REQUEST

Contains all variables sent via HTTP GET, HTTP POST, and HTTP cookies. This is basically the equivalent of combining $_GET, $_POST, and $_COOKIE, and is less dangerous than using $GLOBALS. However, as it does contain all variables from untrusted sources (that is, your visitors), you should still try to steer clear unless you have very good reason to use it. There's no equivalent to $_REQUEST in versions of PHP before v4.1.

$_SESSION

Contains all variables stored in a user's session. This is similar to the old $HTTP_SESSION_VARS array, which, although deprecated, is still available for use.

$_SERVER

Contains all variables set by the web server you are using, or other sources that directly relate to the execution of your script. This is similar to the old $HTTP_SERVER_VARS array, which, although deprecated, is still available for use.

$_ENV

Contains all environment variables set by your system or shell for the script. This is similar to the old $HTTP_ENV_VARS array, which, although deprecated, is still available for use.

Many programmers still use the old syntax for these variables ($HTTP_SERVER_VARS, etc), so you may wonder why the older versions are deprecated in favour of the new superglobals. There are two key differences between the old versions and the new versions:

  1. The new versions are much shorter to type. I do not know about you, but I'd much rather type $_GET than $HTTP_GET_VARS each time I want to access a variable!

  2. The new versions are automatically global everywhere in your script, even inside functions. The older variables, like $HTTP_SESSION_VARS, were not available inside functions unless you specifically requested for them to be available.

There are two superglobal arrays that I would discourage use of as much as possible, and these are $GLOBALS and $_REQUEST. Both of these two arrays are combinations of the other arrays, and therefore mingle together untrusted user data. When you use $_COOKIE['somevar'], you know that the value has come from a cookie on the user's machine, and not from someone editing the URL to your site. When using $_REQUEST['somevar'], however, you no longer have that guarantee, and you are left trusting the user to some extent.

If you have existing scripts that do not use the superglobals, and you are unwilling to convert your code to use the superglobals, you have two other options:

  1. Enable register_globals in your php.ini file. This will revert PHP back to its insecure, pre-v4.1 functionality - the superglobals will still be there, but all input is automatically made into variables.

  2. Use the function import_request_variables() to extract a given superglobal into normal variables.

One important thing to note is that $GLOBALS contains itself too, which means that if you try to cycle through each variable in $GLOBALS in some older versions of PHP you will enter into a recursive loop!





<< 3.7 Variable variables   3.9 Pre-set variables >>
Table of Contents
 Want to see this stuff in print? PHP in a Nutshell takes the core topics covered here, adds in thousands of edits from the editorial team and myself, and combines them to make an unbeatable reference for PHP programmers at all levels.



My latest book has hundreds more tips on how to use PHP, Apache, and MySQL, plus Perl, Python, shell scripts, performance tuning, and more!
Top-right shadow
 
Bottom-left shadow Bottom shadow

Comments from other readers
A PHP User - 05 Dec 2008
hello friends its very good to make it easy to learn some thing

Juan Francisco Giordana - 05 Dec 2008
$_GET = $_SERVER['HTTP_REFERER'];
echo '<a href="' . $_GET . '">Go back</a>.';

mystic@de4th.com: that example really sucks and you're only confusing people who is trying to learn.

This example has been taken from http://php.net/manual/en/language.variables.scope.php and demonstrates a better use of the global scope of a variable

<?php
$a = 1;
$b = 2;

function Sum()
{
global $a, $b;

$b = $a + $b;
}

Sum();
echo $b;
?>

That example should be deleted.

A PHP User - 05 Dec 2008
$_GET = $_SERVER['HTTP_REFERER'];
echo '<a href="' . $_GET . '">Go back</a>.';

mystic@de4th.com: that example really sucks and you're only confusing people who is trying to learn.

This example has been taken from http://php.net/manual/en/language.variables.scope.php and demonstrates a better use of the global scope of a variable

<?php
$a = 1;
$b = 2;

function Sum()
{
global $a, $b;

$b = $a + $b;
}

Sum();
echo $b;
?>

That example should be deleted.

A PHP User - 05 Dec 2008
$_GET = $_SERVER['HTTP_REFERER'];
echo '<a href="' . $_GET . '">Go back</a>.';

mystic@de4th.com: that example really sucks and you're only confusing people who is trying to learn.

This example has been taken from http://php.net/manual/en/language.variables.scope.php and demonstrates a better use of the global scope of a variable

<?php
$a = 1;
$b = 2;

function Sum()
{
global $a, $b;

$b = $a + $b;
}

Sum();
echo $b;
?>

That example should be deleted.

Juan Francisco Giordana - 05 Dec 2008
$_GET = $_SERVER['HTTP_REFERER'];
echo '<a href="' . $_GET . '">Go back</a>.';

mystic@de4th.com: that example really sucks and you're only confusing people who is trying to learn.

This example has been taken from http://php.net/manual/en/language.variables.scope.php and demonstrates a better use of the global scope of a variable

<?php
$a = 1;
$b = 2;

function Sum()
{
global $a, $b;

$b = $a + $b;
}

Sum();
echo $b;
?>

That example should be deleted.

bugScripts.us.tt - 05 Dec 2008
And for future reference, NEVER unset cookies by using unset($COOKIE);. The cookie will be resent on the next page, since that only unsets the cookie variable, not the actual cookie. Use setcookie('name', '', time());, this tells the cookie to expire immediately.

ZendURL - 05 Dec 2008
Here is an example:
If you have a signup sheet where a user fills out their name and password. So then on the next you could use $name = $_POST['name'], this would make $name be the same as the value that the user submitted. SO then you could add $name into your database, or show it to your user to allow him to confirm it.

Graham@namik.co.uk - 05 Dec 2008
What would be really helpfull is if there was a testing html file we could use with say, different form fields and a few buttons with which we could test variables and check the output. Sorry if that didn't make sense!

A PHP User - 05 Dec 2008
Another example of using SuperGlobals:
When completing a form, the data that is entered (name, phone, email...) is sent to the script via get or post mode.
In the script, you can access these informations with $_GET['name'], $_GET['phone'], etc (or, if the mode is post, with $_POST['name'], etc.)
And when uploading files, these files and informations about them are in the superglobal $_FILES.

mr.chew - 05 Dec 2008
I really don't understand how you use these superglobals in a website. I only grasped that they exist, but not how to use them.

mystic@de4th.com - 05 Dec 2008
Superglobals are extremely useful. Switching stylesheets on a website, message boards, some site navigations, and more are possible by super globals.

For example, you need your page to remember where the visitor came from so you can supply a link back to the page. You can do the following:

$_GET = $_SERVER['HTTP_REFERER'];
echo '<a href="' . $_GET . '">Go back</a>.';

That's not a very good example, since you'd want to check to see if $_GET is indeed the referer or not, but you get the point, no?

Cookies are what allows a site to remember your account name and/or password. They remember values for variables in a PHP script and fill them in when called.

Really, it's hard to explain any specific uses for them; they're very versatile and powerful.

Pzkpfw - 05 Dec 2008
You lost me here.

What do I use Superglobals for? Some examples of situations where Superglobals are used would help a lot.
As I read it now I just understand there exist something called Superglobals and that each of these variables has something to do with some other thing.

Kind Regards
Pzkpfw

Pzkpfw - 05 Dec 2008
You lost me here.

What do I use Superglobals for? Some examples of situations where Superglobals are used would help a lot.
As I read it now I just understand there exist something called Superglobals and that each of these variables has something to do with some other thing.

Kind Regards
Pzkpfw

A PHP User - 05 Dec 2008
When you use $_COOKIE['somevar'], you know that the value has come from a cookie on the user's machine, and not from someone editing the URL to your site. When using $_REQUEST['somevar'], however, you no longer have that guarantee, and you are left trusting the user to some extent.


This is not really true; a cookie can as easily be faked as an URL can be changed.



Add comment
Please note that by posting a comment here you are committing it to the public domain. This is important so that others can make use of your code themselves, and also so that I can incorporate helpful notes directly into the main text. Comments are limited to 2000 characters in length.

If you are reporting an error in the content, please tell me directly.

Your name/email address:
Your comment:
 
Now, in order to verify that you're a real person, please answer this simple question: what is five plus nine?
The answer is:
(please write in
numbers, eg 19)


Top-right shadow
 
Bottom-left shadow Bottom shadow

This website and its content is copyright © Paul Hudson 2005, all rights reserved.