👋 Hey there, PHP developer! When you’re just getting started with PHP development, one of the most useful—and slightly confusing—concepts you’ll come across is Superglobals in PHP. These magical variables are always accessible, everywhere in your script, without needing to declare them with global or pass them around like function arguments.
In this beginner-friendly guide, we’ll demystify what Superglobals in PHP are, walk through each major one with real-world examples, and share best practices on how to use them securely and effectively.
Let’s get started!
What Are Superglobals in PHP?
Superglobals in PHP are built-in global arrays that allow you to access specific types of information, like form data, session variables, cookies, server information, and more—anywhere in your script.
Here’s what makes them “super”:
- They’re automatically available in all scopes (functions, methods, etc.)
- They’re predefined by PHP
- They mostly come in the form of associative arrays
List of commonly used PHP Superglobals:
| Superglobal | Description |
|---|---|
$_GET | Data from URL query parameters |
$_POST | Data from submitted HTML forms |
$_REQUEST | Combines data from $_GET, $_POST, and $_COOKIE |
$_SERVER | Information about server and execution environment |
$_SESSION | Data stored across user sessions |
$_COOKIE | Data stored in the user’s browser |
$_FILES | Information about uploaded files |
$_ENV | Environment variables |
$GLOBALS | Access global variables from anywhere |
Let’s break them down one by one!
$_GET – Accessing Data from the URL
The $_GET superglobal is used to collect values sent via the URL. It’s perfect for fetching query parameters, like when users search or filter something.
Example:
<!-- URL: example.com/search.php?query=php -->
<?php
echo "Search term is: " . $_GET['query']; // php
?>This is commonly used for pagination, filtering, or retrieving simple form values using the GET method.
Tip: Avoid exposing sensitive data via $_GET as it’s visible in the browser’s address bar.
$_POST – Handling Form Submissions
Unlike $_GET, data sent using $_POST is not visible in the URL. It’s commonly used for forms that modify data—like login forms, contact forms, and more.
Example:
<form method="post" action="submit.php">
<input type="text" name="username">
<input type="submit">
</form>
<?php
echo "Welcome, " . $_POST['username'];
?>Best Practice: Always validate and sanitize user input to avoid security vulnerabilities like SQL injection.
$_REQUEST – A Combination of Everything
$_REQUEST is a mix of $_GET, $_POST, and $_COOKIE. It will try to fetch the value regardless of how it was sent.
Example:
<?php
$name = $_REQUEST['name']; // Works for both GET and POST
echo "Hello, $name!";
?>Note: Using $_REQUEST can lead to ambiguity. Prefer $_POST or $_GET when you know the method used.
$_SERVER – Server and Execution Info
$_SERVER is filled with information about the current request, headers, script paths, and server details.
Common Uses:
<?php
echo $_SERVER['SERVER_NAME']; // Outputs domain name
echo $_SERVER['REQUEST_METHOD']; // GET or POST
echo $_SERVER['SCRIPT_FILENAME']; // Full file path
?>This superglobal is very helpful for debugging, building dynamic links, or logging user requests.
$_COOKIE – Reading Browser Cookies
Cookies let you store small pieces of data on the user’s browser, and $_COOKIE lets you access them.
Set and Read a Cookie:
// Set cookie
setcookie("user", "John", time() + (86400 * 30), "/");
// Read cookie
if(isset($_COOKIE["user"])) {
echo "Hello, " . $_COOKIE["user"];
}
// Expire cookie
setcookie("user", "John", time() - 3600, "/");Reminder: Always consider user privacy and comply with cookie consent laws. And if you want to delete the cookie then set the cookie with the the past time it will delete that cookie from system.
$_FILES – Managing File Uploads
$_FILES handles file uploads via forms and stores metadata like file name, size, and temporary location.
File Upload Example:
<form action="upload.php" method="post" enctype="multipart/form-data">
<input type="file" name="myfile">
<input type="submit" value="Upload">
</form><?php
if ($_FILES['myfile']['error'] == 0) {
move_uploaded_file($_FILES['myfile']['tmp_name'], 'uploads/' . $_FILES['myfile']['name']);
echo "File uploaded!";
}
?>
Security Tip: Always check file type and size to prevent malicious uploads.
$_SESSION – Persistent Data Across Pages
$_SESSION helps you store data that stays available across different pages (until the user leaves or logs out).
Starting a Session:
<?php
session_start();
$_SESSION['username'] = 'john_doe';
echo $_SESSION['username'];
?>Important: Always call session_start() before accessing session variables.
Sessions are widely used in authentication, cart management, and storing temporary user settings.
$_ENV – Environment Variables
$_ENV contains variables set in the server’s environment, often defined in .env files or system configs.
<?php
echo $_ENV['DB_HOST']; // If defined
?>In modern applications, environment variables help keep config data (like DB credentials) separate from code.
$GLOBALS – Accessing Global Variables Anywhere
The $GLOBALS superglobal is a special array that holds all global variables. It allows you to access and modify them from inside functions or classes.
Example:
<?php
$name = "John";
function greet() {
echo "Hello, " . $GLOBALS['name'];
}
greet();
?>Tip: Use $GLOBALS occasionally. It can lead to messy code if overused.
Security Tips While Using Superglobals
Using Superglobals carelessly can expose your app to security threats. Here are a few safety guidelines:
- Sanitize inputs using
filter_var()or custom logic. - Validate forms before processing.
- Use CSRF tokens with forms using
$_POST. - Limit file upload types using
mime_content_type()andpathinfo()checks. - Escape output using
htmlspecialchars()to prevent XSS.
Real-World Use Case
Let’s say you’re building a login system:
$_POSTwill used to receive credentials from the form.$_SESSIONwill used to store the user login state.$_SERVERwill used to log user agent or IP.- Optionally, set a
$_COOKIEto remember the user.
<?php
session_start();
if ($_POST['username'] == 'admin' && $_POST['password'] == '123') {
$_SESSION['logged_in'] = true;
setcookie("remember_me", "true", time() + (86400 * 30), "/");
echo "Welcome!";
} else {
echo "Invalid credentials";
}
?>🎯 Final Thoughts
uperglobals in PHP are the foundation of dynamic web apps. They allow you to handle form submissions, sessions, cookies, server data, and more—all out of the box.
Learning how to use each one securely and efficiently will take your PHP skills to the next level. Start experimenting with each of them today, and you’ll soon see just how powerful and flexible PHP can be.
If you found this guide helpful, share it with fellow PHP learners, or bookmark it for later. Got questions or want more examples? Drop a comment below! 👇
Leave a Reply