CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Global Variable Abuse

quality PHP 5.0+ Intermediate

Also Known As

global keyword global state $GLOBALS

TL;DR

Using global variables or the global keyword to share state between functions — making code unpredictable, untestable, and impossible to reason about.

Explanation

Global variables create hidden dependencies: any function anywhere can read or modify them, making execution order critical and side effects unpredictable. In PHP, the global keyword imports a variable from the global scope into a function. PHP superglobals ($_GET, $_POST, $_SESSION) are a necessary evil but accessing them deep in business logic is the same problem. The fix is dependency injection — pass state explicitly as parameters or constructor arguments.

Common Misconception

Global variables are fine for small scripts — even small scripts become hard to test when globals are used; PHP-FPM's process model means globals persist across the request but not between requests, creating subtle bugs.

Why It Matters

Global variables make unit testing impossible without setting up the global state, make concurrency dangerous, and cause subtle bugs when execution order changes.

Common Mistakes

  • Using the global keyword in functions instead of passing parameters.
  • Storing request state in global variables instead of a request context object.
  • Database connection stored in a global variable instead of injected into services.
  • Using static class properties as global state — same problem, different syntax.

Code Examples

✗ Vulnerable 
// Global variable abuse:
$db = new PDO(DSN, USER, PASS); // Global

function getUser(int $id): array {
    global $db; // Hidden dependency — untestable without real DB
    return $db->query('SELECT * FROM users WHERE id = ' . $id)->fetch();
}

function saveUser(array $data): void {
    global $db; // Same hidden dependency everywhere
    $db->query('INSERT INTO users ...');
}
✓ Fixed 
// Dependency injection — explicit, testable:
class UserRepository {
    public function __construct(private PDO $db) {}

    public function find(int $id): array {
        $stmt = $this->db->prepare('SELECT * FROM users WHERE id = ?');
        $stmt->execute([$id]);
        return $stmt->fetch();
    }
}
// In tests: inject a mock PDO — no global state
Added 16 Mar 2026
Edited 5 Apr 2026
Views 26

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 5 Ahrefs 2 Google 2 Unknown AI 2 Majestic 1
Also referenced
Coupling 28 Dependency Injection 27 Single Responsibility Principle 27 Static Methods & Properties 18
How they use it
crawler 19 crawler_json 1
Related categories
php 6.3k quality 2.7k general 1.4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Replace global variables with constructor injection — globals make functions hard to test, create hidden coupling, and cause race conditions in long-running processes
📦 Applies To
PHP 5.0+ any web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
global $db $config in function bodies; $GLOBALS superglobal usage; static class properties used as global registry
Auto-detectable: ✓ Yes phpcs phpstan semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: High Context: File Tests: Update
CWE-1108
✓ schema.org compliant