PHP Superglobals for Form Handling
π What Are Superglobals in PHP?
Superglobals are
built-in predefined variables in PHP that:
- ☆ Are always available (you donβt need to global them or pass them around)
- ☆ Work anywhere β inside functions, classes, or outside of them
- ☆ Hold important info about the environment, form data, URLs, sessions, etc.
π§Ί List of Common PHP Superglobals
| Superglobal |
What It Does |
| $_GET | Data from URL parameters |
| $_POST | Data from submitted forms |
| $_REQUEST | Combines $_GET, $_POST, and $_COOKIE |
| $_SERVER | Info about headers, server, paths, etc. |
| $_FILES | Data from uploaded files |
| $_ENV | Environment variables |
| $_COOKIE | Data stored in cookies |
| $_SESSION | Data in user sessions |
| $GLOBALS | All global variables in one place |
PHP Global Variables - Superglobals
- ☆
$_SERVER
- • $_SERVER is a PHP super global variable which holds information about headers, paths, and script
locations.
- • The example below shows how to use some of the elements in $_SERVER:
<?php
echo $_SERVER['PHP_SELF'];
echo "<br>";
echo $_SERVER['SERVER_NAME'];
echo "<br>";
echo $_SERVER['HTTP_HOST'];
echo "<br>";
echo $_SERVER['SCRIPT_NAME'];
echo "<br>";
if (isset($_SERVER['HTTP_REFERER'])) {
echo $_SERVER['HTTP_REFERER'];
} else {
echo "No referrer available.";
}
?>
The following table lists the most important elements that can go inside $_SERVER:
| Element/Code |
Description |
| $_SERVER['PHP_SELF'] |
Returns the filename of the currently executing script |
| $_SERVER['SERVER_NAME'] |
Returns the name of the host server (such as www.w3schools.com) |
| $_SERVER['HTTP_HOST'] |
The host header sent by the browser (usually same as server name) |
| $_SERVER['SCRIPT_NAME'] |
Returns the path of the current script |
| $_SERVER['HTTP_REFERER'] |
The URL of the page that referred the user to this page |
Pro Tip:
Always check with
isset() or
!empty() when using things like:
- $_SERVER['HTTP_REFERER']
- $_GET[...]
- $_POST[...]
☆
$_REQUEST
- • PHP $_REQUEST is a PHP super global variable which is used to collect data after submitting an
HTML form.
- • It collects form data sent with
either GET or POST methods.
- • The example below shows a form with an input field and a submit button. When a user submits the
data by clicking on "Submit", the form data is sent to the file specified in the action attribute of the
<form> tag.
<html>
<body>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
Name: <input type="text" name="fname" value="<?php if (isset($_POST['fname'])) echo $_POST['fname'];?>">
<input type="submit">
</form>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// collect value of input field
$name = $_REQUEST['fname'];
if (empty($name)) {
echo "Name is empty";
} else {
echo $name;
}
}
?>
</body>
</html>
☆
$_POST
- • PHP $_POST is a PHP super global variable which is used to collect form data after submitting an
HTML form with method="post". $_POST is also widely used to pass variables.
- • The example below shows a form with an input field and a submit button. When a user submits the
data by clicking on "Submit", the form data is sent to the file specified in the action attribute of the
<form> tag.
- •
action="<?php echo $_SERVER['PHP_SELF']; ?>" means the form submits to the same page it's on.
<html>
<body>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
Name: <input type="text" name="fname" value="<?php if (isset($_POST['fname'])) echo $_POST['fname'];?>">
<input type="submit">
</form>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// collect value of input field
$name = $_POST['fname'];
if (empty($name)) {
echo "Name is empty";
} else {
echo $name;
}
}
?>
</body>
</html>
☆
$_GET
- • PHP $_GET is a PHP super global variable which is used to collect form data after submitting an
HTML form with method="get".
- • Collect form data sent using the GET method.
- • Access query string values in the URL.
<form method="get" action="<?php echo $_SERVER['PHP_SELF'];?>">
Name: <input type="text" name="fname" value="<?php if (isset($_GET['fname'])) echo $_GET['fname'];?>">
<input type="submit">
</form>
<?php
if ($_SERVER["REQUEST_METHOD"] == "GET") {
if(isset($_GET['fname'])){
$name = $_GET['fname'];
if (empty($name)) {
echo "Name is empty";
} else {
echo $name;
}
}
}
?>
Secure PHP Form Handling wit htmlspecialchars()
What
htmlspecialchars() Does?
- ☆ It converts special characters into HTML entities, like this:
| Character |
Converted To |
| < |
< |
| > |
> |
| " |
" |
| ' |
' |
| & |
& |
- ☆ Why You Need It: Prevent XSS (Cross-Site Scripting)
π« Bad example (vulnerable to XSS (Cross-Site Scripting)):
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
Name: <input type="text" name="name" value="<?php if (isset($_POST['fname'])) echo $_POST['fname']; ?>" >
<input type="submit">
</form>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = $_POST["name"]; // β Not Safe
echo "Hello " . $name;
}
?>
If someone enters this in the input field:
<script>alert('Hacked!')</script>
It will execute JavaScript when the form is submitted.
β
Safe example using
htmlspecialchars():
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = htmlspecialchars($_POST["name"]); // Safe
echo "Hello " . $name;
}
Now, even if someone enters <script>alert('Hacked!')</script>, it won't run, it'll be displayed as text.
Hello <script>alert('Hacked!')</script>
GET vs. POST
The PHP superglobals
$_GET
and
$_POST
are used to collect form-data.
- ★ Both GET and POST create an array (e.g. array( key1 => value1, key2 => value2, key3 => value3, ...)).
This array holds key/value pairs, where keys are the names of the form controls and values are the input data
from the user.
- ★ Both GET and POST are treated as $_GET and $_POST. These are superglobals, which means that they are
always accessible, regardless of scope - and you can access them from any function, class or file without having
to do anything special.
- ★ $_GET is an array of variables passed to the current script via the URL parameters.
- ★ $_POST is an array of variables passed to the current script via the HTTP POST method.
- ★
Information sent from a form with the GET method is visible to everyone (all variable names
and values are displayed in the URL), GET may be used
for
sending
non-sensitive data. GET should NEVER be used for sending passwords or other sensitive information!
- ★
Information sent from a form with the POST method is invisible to others (all names/values
are embedded within the body of the HTTP request), Developers prefer
POST
for
sending form data.
$_POST
<!-- in test.html -->
<!DOCTYPE html>
<html>
<body>
<form action="test.php" method="post">
Name: <input type="text" name="name" >
<br>
E-mail: <input type="text" name="email">
<br>
<input type="submit">
</form>
</body>
</html>
When the user fills out the form above and clicks the submit button, the form data is sent for processing to a PHP
file named "test.php". The form data is sent with the HTTP POST method.
<!-- in test.php -->
<html>
<body>
Welcome <?php echo $_POST["name"]; ?><br>
Your email address is: <?php echo $_POST["email"]; ?>
</body>
</html>
$_GET
<!-- in test.html -->
<html>
<body>
<form action="test.php" method="get">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
</body>
</html>
<!-- in test.php -->
<html>
<body>
Welcome <?php echo $_GET["name"]; ?><br>
Your email address is: <?php echo $_GET["email"]; ?>
</body>
</html>
β
Use GET when... |
β
Use POST when... |
| Sending non-sensitive data |
Sending sensitive or large data |
| Bookmarking/sharing a URL |
Submitting forms that update data |
| You want URL parameters visible |
You want data hidden from the URL |
Reference