#native_company# #native_desc#

Fundamentals of PHP Superglobals

By Ian Gilfillan
on October 18, 2007

This month’s article is aimed at PHP developers who’re not yet familiar with the PHP superglobals. Usage of superglobals is fundamental to PHP web development, but, with all the recent changes in PHP, there are still many outdated tutorials, books, and sadly, still much confusion.

PHP superglobals are automatically available throughout all scripts, in all scopes. In other words, you don’t have to do anything, no declaring, no passing – they’re just there. They provide useful information about the environment, allow access to HTML form variables or parameters, access to cookies stored on a client, as well as keeping track of sessions and file uploads.

Accessing HTML form variables in PHP

The beginner might still come across an online tutorial or book that has something like the following:

<form action='form.php'>
<input type='text' name='email'>
<input type='submit' value='Submit your email'>

print $email;

I strongly suggest reading last month’s article, Secure Programming with PHP, in conjunction with this, as that covers some important security issues, and I don’t want to be accused of encouraging bad habits. But for now, let’s just take these examples at face value, for descriptive purposes. In the above example, $email is a global, and is populated from the form. However, this behaviour causes security issues, and comes from a setting called register_globals. Old versions of PHP had this setting on by default, but newer versions don’t, and it’s bad practice. $email will not be populated in most PHP installations these days, a cause of much newbie frustration.

So what to do? Simple – PHP creates what are called superglobals that are populated from different places. There are a number that can be used for form data. There’s $_GET, $_POST, $_REQUEST and $_GLOBALS. There’re also the older variables $HTTP_GET_VARS and $HTTP_POST_VARS. Don’t use these any more – they still work, but are deprecated, and don’t behave in quite the same way.


$_GET is used for data passed using the HTTP GET method, which includes variables passed as part of the URL (such as www.example.co.za/index.php?var1=xx&var2=yy) or from an HTML form that does not define any method (as in the case of form.html above). Here’s how a PHP script would access them:

// For demonstration only, there are security concerns with doing things this way
echo $_GET['$email']; 
//will display whatever was entered in the form (form.html)
echo $_GET['var1']; 
//will display 'xx' when the script is called from the URL 
echo $_GET['var2']; 
//will display yy from the URL above.

Simple isn’t it? The GET method is conventionally used when the processing script has no lasting observable effect on matters (such as changing a database). It’s also more easily cacheable, so is ideal most searched.
$_GET has been around since PHP 4.1.0. Before that, $HTTP_GET_VARS was used (though this was not automatically global).