What is the $_SERVER Superglobal Variable in PHP?

This article will explain what the $_SERVER superglobal variable is in the PHP programming language.

What is a ‘Superglobal’ Variable?

superglobal variable is a variable that is available to all scripts in all scopes in PHP. It is available from within any file, class, or function.

What is the $_SERVER Superglobal Variable?

The $_SERVER superglobal contains information about the server and execution environment PHP is running in/on. It contains information on the request made to the web server, file paths, and other information. It will provide little to no info if run from the command line.

It is an array containing several values provided by the webserver – see further down in this article for the complete list of what may be included.

HTTP Request Headers in $_SERVER

Any element in the $_SERVER array which begins with HTTP_ has come from the HTTP request made to the webserver.

These values are dangerous and not to be trusted! The party making the request can include anything in those headers – so they cannot be considered as containing accurate data!

$_SERVER[‘PHP_SELF’] is the most dangerous of these. This variable contains the full path to the PHP script being executed, including any query parameters. This allows the party making the request to include arbitrary data. Displaying data from $_SERVER[‘PHP_SELF’] in a page would allow that party to inject code into your pages – a hack called (XSSCross Site Scripting.

Viewing the Contents of $_SERVER

You can output the contents of $_SERVER to a page for inspection.

This information is sensitive! It contains important information about your PHP environment, and values within it could be used to orchestrate an attack on your server.

DO NOT HOST THIS CODE ON A PUBLICLY FACING SERVER!

<?php
foreach ($_SERVER as $key => $value)  echo "$key = '$value'\n";

Data Available in $_SERVER

Here’s a list of the values that may be stored in the $_SERVER array, depending on your PHP configuration/environment:

PHP_SELF The filename of the script being executed
argv Array of arguments passed to the script
argc Number of command line parameters passed to the script if run from command line
GATEWAY_INTERFACE Revision of the CGI specification the server is using
SERVER_ADDR The IP address of the server under which the PHP and script are executing
SERVER_NAME The hostname of the server under which the PHP and script are executing
SERVER_SOFTWARE Identification string given in headers when responding to requests
SERVER_PROTOCOL Name/revision of the information protocol used in the request; e.g. ‘HTTP/1.0’
REQUEST_METHOD Request method used to access the script – ‘GET’, ‘HEAD’, ‘POST’ or ‘PUT’
REQUEST_TIME Timestamp of when the request was made
REQUEST_TIME_FLOAT Timestamp of when the request was made – extra precision
QUERY_STRING Query string, if present, from the URL used to access the script
DOCUMENT_ROOT Root directory under which the script is executing- set in the PHP’s configuration file
HTTP_ACCEPT Text of the Accept header from the request if present
HTTP_ACCEPT_CHARSET Text of the Accept-Charset header from the request if present
HTTP_ACCEPT_ENCODING Text of the Accept-Encoding header from the request if present
HTTP_ACCEPT_LANGUAGE Text of the Accept-Language header from the request if present
HTTP_CONNECTION Text of the Connection header from the request if present
HTTP_HOST Text of the Host header from the request if present
HTTP_REFERER If another page referred the user agent to this page, the address of the other page. As this is set by the party making the request, it is untrustworthy
HTTP_USER_AGENT Text of the User-Agent header from the request, if present
HTTPS Empty if the script was NOT queried through the HTTPS protocol
REMOTE_ADDR IP address from which the request was made
REMOTE_HOST Hostname from which the request was made
REMOTE_PORT Port from which the request was made
REMOTE_USER If authenticated via HTTP authentication, the authenticated user
REDIRECT_REMOTE_USER The authenticated user if authenticated via HTTP authentication, and if the request was redirected internally
SCRIPT_FILENAME The absolute path to the script being executed
SERVER_ADMIN If running under the Apache web server, the value of the SERVER_ADMIN directive in the web server configuration
SERVER_PORT Port the web server hosting PHP is running on
SERVER_SIGNATURE If enabled, server version and virtual host name which are added to generated pages
PATH_TRANSLATED Path to the executing script on the server file system (not relative to document root)
SCRIPT_NAME The path to the executing script (As it appears in the URI)
REQUEST_URI The full URI which was used to access the page
PHP_AUTH_DIGEST Set to the Authorization header as sent by the client, if using digest HTTP authentication
PHP_AUTH_USER When using HTTP authentication this variable is set to the provided username
PHP_AUTH_PW When using HTTP authentication this variable is set to the provided password
AUTH_TYPE When using HTTP authentication this variable is set to the provided authentication type
PATH_INFO Any paths appended to the script filename preceding the query string
ORIG_PATH_INFO PATH_INFO (above) before being processed by PHP

For more information on what these values mean, check out the official PHP documentation.

SHARE:
Photo of author
Author
I'm Brad, and I'm nearing 20 years of experience with Linux. I've worked in just about every IT role there is before taking the leap into software development. Currently, I'm building desktop and web-based solutions with NodeJS and PHP hosted on Linux infrastructure. Visit my blog or find me on Twitter to see what I'm up to.

Leave a Comment