Superglobals Overview
PHP ships with a small set of built-in arrays called superglobals. They hold information about the current request, the server environment, and any data that has been carried across requests (sessions, cookies). What makes them "super" is not their content but their scope: a normal variable created inside a function is invisible outside it unless you pass it in or declare it global, but every superglobal is automatically available inside every function, method, and file, with no extra work required.
The full list
$_GET- values sent in the URL query string, e.g.?id=42.$_POST- values sent in the body of an HTTP POST request, typically from a form.$_REQUEST- a merged view of$_GET,$_POST, and$_COOKIE, ordered by therequest_orderini setting.$_SERVER- metadata about the server and the current request (method, host, URI, headers, and more).$_SESSION- data persisted across multiple requests for the same visitor, oncesession_start()has run.$_COOKIE- values sent back by the browser from cookies previously set withsetcookie().$_FILES- information about files uploaded through amultipart/form-dataform.$_ENV- environment variables made available to the PHP process.$GLOBALS- a reference to every variable currently defined in the global scope, keyed by name.
Why they work everywhere
Ordinary PHP variables live in whatever scope created them: the global scope, or the local scope of a function or method. Superglobals are a deliberate exception carved out by the language itself — PHP populates them before your script starts running and makes them visible in every scope simultaneously, global or local. You never need global $_POST; inside a function the way you would for a regular global variable.
No global keyword needed
<?php
function showMethod() {
// $_SERVER is visible here with no "global" declaration
echo $_SERVER['REQUEST_METHOD'];
}
showMethod();GET
Reading values safely
Because superglobals are filled in from data the visitor controls (the URL, form fields, cookies, uploaded files), you should treat every value inside them as untrusted input. Two habits matter from day one: check that a key exists before reading it, and escape anything you print back into HTML with htmlspecialchars().
Defensive reading of a superglobal
<?php
$page = $_GET['page'] ?? '1';
$safePage = htmlspecialchars($page, ENT_QUOTES, 'UTF-8');
echo "Requested page: {$safePage}";Quick reference
Superglobal | Typical use |
|---|---|
| Read query string parameters for filtering, pagination, search. |
| Read form fields submitted with method="post". |
| Rarely recommended; merges GET, POST, and COOKIE. |
| Inspect request method, URI, host, headers, client IP. |
| Store login state or cart contents between requests. |
| Read small values the browser stored for this site. |
| Inspect metadata for an uploaded file. |
| Read environment variables such as API keys or config flags. |
| Access a global variable by name from inside a function. |