CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Superglobals ($_GET, $_POST, $_SERVER…)

PHP PHP 5.0+ Beginner
debt(d5/e5/b7/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list phpstan, semgrep, and deptrac — these are specialist static analysis tools, not default linters. The code_pattern confirms they catch direct superglobal use in SQL/file paths or domain service classes, but this requires deliberate tool configuration and won't surface in a standard linter pass.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix says to filter at the controller boundary and pass clean values inward — but the common_mistakes show superglobals leaking into domain/service classes, session handling spread across many places, and direct use throughout the codebase. Introducing a request abstraction layer and pushing validation to the boundary while updating all call sites spans multiple files and components, landing solidly at e5.

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (e7). The applies_to covers web, cli, and queue-worker contexts — all PHP contexts — and the why_it_matters explains that direct superglobal access 'creates hidden input coupling and makes testing harder' throughout the codebase. Every new feature and test strategy is shaped by whether superglobals are accessed directly or through an abstraction, and the common_mistakes show this pattern spreading into domain/service layers, giving it a strong gravitational pull across the whole application.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap — contradicts how a similar concept works elsewhere' (t7). The misconception field is explicit: $_REQUEST appears to be a convenient safe shorthand for $_GET and $_POST, but it merges GET, POST, and COOKIE with configurable and manipulable precedence — the 'obvious' convenience alternative is subtly unsafe. Additionally, $_SERVER['HTTP_HOST'] looks like a server-controlled value but is user-controllable, contradicting typical developer intuition about server variables. These are documented gotchas that contradict reasonable assumptions about how similar input concepts behave.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

PHP superglobals $_GET $_POST $_REQUEST $_SERVER $_SESSION

TL;DR

PHP's built-in global arrays that provide access to request data, environment, and server variables — all potentially attacker-controlled.

Explanation

PHP superglobals ($_GET, $_POST, $_COOKIE, $_FILES, $_SERVER, $_SESSION, $_ENV, $_REQUEST) are accessible in any scope without declaration. Critically, all data from HTTP requests ($_GET, $_POST, $_COOKIE, $_REQUEST, and many $_SERVER keys) is attacker-controlled and must be validated and sanitised before use. $_SERVER['HTTP_HOST'], $_SERVER['HTTP_REFERER'], and $_SERVER['HTTP_X_FORWARDED_FOR'] are trivially spoofed. Never trust superglobal data without validation, and avoid $_REQUEST which merges GET, POST, and cookies.

Common Misconception

$_REQUEST is a convenient and safe alternative to $_GET and $_POST. $_REQUEST merges GET, POST, and COOKIE data — the precedence order is configurable and can be manipulated to override expected input sources. Always read from the explicit $_GET or $_POST superglobal.

Why It Matters

PHP superglobals ($_GET, $_POST, $_SERVER, $_SESSION) are accessible everywhere without declaration — accessing them directly throughout the codebase creates hidden input coupling and makes testing harder.

Common Mistakes

  • Reading $_GET/$_POST directly in domain or service classes — those layers should receive already-validated data.
  • Trusting $_SERVER['HTTP_HOST'] for security decisions — it is user-controlled.
  • Modifying $_SESSION directly in many places instead of through a session service — hard to trace and test.
  • Not filtering and validating superglobal values at the application boundary before passing them inward.

Avoid When

  • Never use $_REQUEST — it merges GET, POST, and COOKIE, making the input source ambiguous.
  • Do not use extract($_GET) or extract($_POST) — it overwrites arbitrary variables with user-controlled values.

When To Use

  • Access $_GET, $_POST, $_SERVER through a request abstraction layer rather than directly — makes testing and sanitisation consistent.
  • Always validate and sanitise superglobal values before use — they contain raw user input.

Code Examples

✗ Vulnerable 
// Superglobals accessed deep in domain logic:
class OrderService {
    public function create(): Order {
        $userId = $_SESSION['user_id']; // Coupled to HTTP context
        $items = $_POST['items'];       // Should be injected, not read directly
    }
}
✓ Fixed 
// PHP superglobals — always available, all scopes
// $_GET     — URL query params
// $_POST    — HTTP POST body (form data)
// $_COOKIE  — HTTP cookies
// $_FILES   — uploaded file metadata
// $_SERVER  — server and request info
// $_SESSION — session data (after session_start())
// $_ENV     — environment variables
// $_REQUEST — merged GET+POST+COOKIE (avoid — ambiguous)
// $GLOBALS  — all global variables

// Safe access pattern:
$page  = max(1, (int) ($_GET['page'] ?? 1));
$email = filter_var($_POST['email'] ?? '', FILTER_VALIDATE_EMAIL) ?: '';

// JSON API body:
$body = json_decode(file_get_contents('php://input'), true) ?? [];
Added 15 Mar 2026
Edited 31 Mar 2026
Views 46

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 1 ping S 0 pings M 1 ping T 0 pings W 0 pings T 1 ping F 1 ping S 2 pings S 1 ping M 1 ping T 2 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Scrapy 8 Ahrefs 4 ChatGPT 3 SEMrush 3 Perplexity 2 Unknown AI 2 Google 2 Claude 1 Meta AI 1 Bing 1
Also referenced
Input Validation vs Output Encoding 118 filter_var() 52 register_globals (Legacy Audit) 45
How they use it
crawler 34 crawler_json 3
Related categories
php 13.2k general 3k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Never use superglobal values directly in business logic — filter and validate at the controller boundary using filter_input() or a validation library, then pass clean values to services
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
\$_GET or \$_POST used directly in SQL query or file path; \$_SERVER['HTTP_HOST'] used without validation; superglobals in domain service classes
Auto-detectable: ✓ Yes phpstan semgrep deptrac
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: High ✗ Manual fix Fix: High Context: File Tests: Update
✓ schema.org compliant