PHPSuperglobals Overview

Superglobals Overview

PHP ships with a small set of built-in arrays called superglobals. They hold information about the current request, the server environment, and any data that has been carried across requests (sessions, cookies). What makes them "super" is not their content but their scope: a normal variable created inside a function is invisible outside it unless you pass it in or declare it global, but every superglobal is automatically available inside every function, method, and file, with no extra work required.

The full list
  • $_GET - values sent in the URL query string, e.g. ?id=42.

  • $_POST - values sent in the body of an HTTP POST request, typically from a form.

  • $_REQUEST - a merged view of $_GET, $_POST, and $_COOKIE, ordered by the request_order ini setting.

  • $_SERVER - metadata about the server and the current request (method, host, URI, headers, and more).

  • $_SESSION - data persisted across multiple requests for the same visitor, once session_start() has run.

  • $_COOKIE - values sent back by the browser from cookies previously set with setcookie().

  • $_FILES - information about files uploaded through a multipart/form-data form.

  • $_ENV - environment variables made available to the PHP process.

  • $GLOBALS - a reference to every variable currently defined in the global scope, keyed by name.

Why they work everywhere

Ordinary PHP variables live in whatever scope created them: the global scope, or the local scope of a function or method. Superglobals are a deliberate exception carved out by the language itself — PHP populates them before your script starts running and makes them visible in every scope simultaneously, global or local. You never need global $_POST; inside a function the way you would for a regular global variable.

No global keyword needed

PHP
<?php
function showMethod() {
    // $_SERVER is visible here with no "global" declaration
    echo $_SERVER['REQUEST_METHOD'];
}

showMethod();
GET
Reading values safely

Because superglobals are filled in from data the visitor controls (the URL, form fields, cookies, uploaded files), you should treat every value inside them as untrusted input. Two habits matter from day one: check that a key exists before reading it, and escape anything you print back into HTML with htmlspecialchars().

Defensive reading of a superglobal

PHP
<?php
$page = $_GET['page'] ?? '1';
$safePage = htmlspecialchars($page, ENT_QUOTES, 'UTF-8');

echo "Requested page: {$safePage}";
Superglobals are still just arrays
There is nothing magical about reading or writing to a superglobal beyond its automatic scope. `$_SESSION['user_id'] = 7;` works exactly like assigning to any associative array — the "super" part only refers to visibility, not to any special array syntax.
Quick reference

Superglobal

Typical use

$_GET

Read query string parameters for filtering, pagination, search.

$_POST

Read form fields submitted with method="post".

$_REQUEST

Rarely recommended; merges GET, POST, and COOKIE.

$_SERVER

Inspect request method, URI, host, headers, client IP.

$_SESSION

Store login state or cart contents between requests.

$_COOKIE

Read small values the browser stored for this site.

$_FILES

Inspect metadata for an uploaded file.

$_ENV

Read environment variables such as API keys or config flags.

$GLOBALS

Access a global variable by name from inside a function.

Tip
Get in the habit of reaching for the specific superglobal you mean (`$_GET` or `$_POST`) rather than the catch-all `$_REQUEST`. The dedicated pages on `$_GET` & `$_POST`, `$_SERVER`, and `$_REQUEST` go deeper into each one.