What are PHP superglobals?

Question

Accepted Answer

**Superglobals** are built-in PHP variables that are **automatically available in every scope** — they hold request data, server info, sessions, and more. They're how PHP scripts access incoming HTTP request information.

## The main superglobals

```php
<?php
$_GET       // query string parameters:  /page?id=5 → $_GET['id']
$_POST      // form POST data:            $_POST['username']
$_REQUEST   // combined GET + POST + COOKIE (avoid — ambiguous)
$_SERVER    // server/request info:       $_SERVER['REQUEST_METHOD'], ['HTTP_HOST']
$_SESSION   // session data (persists across requests)
$_COOKIE    // cookies sent by the browser
$_FILES     // uploaded files
$_ENV       // environment variables
$GLOBALS    // all global variables
```

These are available everywhere (no `global` keyword needed), unlike normal variables which are scoped to their function.

## Accessing request data

```php
// query parameters and form data
$id = $_GET['id'] ?? null;             // ?? provides a default if missing
$username = $_POST['username'] ?? '';

// request info
$method = $_SERVER['REQUEST_METHOD'];   // "GET", "POST"
$uri = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];
```

## The CRITICAL security warning: never trust superglobal data

```php
// ❌ DANGEROUS — using raw input directly enables attacks
$query = "SELECT * FROM users WHERE id = " . $_GET['id'];   // SQL INJECTION!
echo $_GET['name'];                                          // XSS!

// ✅ ALWAYS validate, sanitize, and escape user input
$id = (int) $_GET['id'];                          // cast/validate
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");   // parameterized query
echo htmlspecialchars($_GET['name']);             // escape for output (prevent XSS)
```

**Data from `$_GET`, `$_POST`, `$_COOKIE`, `$_REQUEST` is untrusted user input** — using it directly enables SQL injection, XSS, and other attacks. Always validate, use parameterized queries for databases, and escape output.

## Why it matters

Superglobals are fundamental to PHP web development — they're how scripts receive HTTP request data (query strings, form submissions, cookies, sessions, uploaded files, server info), so understanding them is essential everyday knowledge for handling any user input.

Knowing what each superglobal contains (`$_GET`, `$_POST`, `$_SERVER`, `$_SESSION`, etc.) and how to access request data is necessary for building any PHP application.

But the **most important point is security**: data from `$_GET`/`$_POST`/`$_COOKIE`/`$_REQUEST` is **untrusted user input**, and using it directly is the root cause of the most common and dangerous web vulnerabilities (SQL injection, XSS).

Understanding that superglobal request data must **always** be validated, used safely (parameterized queries for databases), and escaped on output is critical, security-essential knowledge — since superglobals are the entry point for user input, mishandling them is where many serious PHP security breaches originate, making safe handling of them a foundational responsibility for every PHP developer. (Modern frameworks like Laravel wrap superglobals in safer request abstractions, but the underlying principle of never trusting input remains.)