This article will explain what the $_SERVER superglobal variable is in the PHP programming language.
What is a ‘Superglobal’ Variable?
A superglobal variable is a variable that is available to all scripts in all scopes in PHP. It is available from within any file, class, or function.
What is the $_SERVER Superglobal Variable?
The $_SERVER superglobal contains information about the server and execution environment PHP is running in/on. It contains information on the request made to the web server, file paths, and other information. It will provide little to no info if run from the command line.
It is an array containing several values provided by the webserver – see further down in this article for the complete list of what may be included.
HTTP Request Headers in $_SERVER
Any element in the $_SERVER array which begins with HTTP_ has come from the HTTP request made to the webserver.
These values are dangerous and not to be trusted! The party making the request can include anything in those headers – so they cannot be considered as containing accurate data!
$_SERVER[‘PHP_SELF’] is the most dangerous of these. This variable contains the full path to the PHP script being executed, including any query parameters. This allows the party making the request to include arbitrary data. Displaying data from $_SERVER[‘PHP_SELF’] in a page would allow that party to inject code into your pages – a hack called (XSS) Cross Site Scripting.
Viewing the Contents of $_SERVER
You can output the contents of $_SERVER to a page for inspection.
This information is sensitive! It contains important information about your PHP environment, and values within it could be used to orchestrate an attack on your server.
DO NOT HOST THIS CODE ON A PUBLICLY FACING SERVER!
<?php foreach ($_SERVER as $key => $value) echo "$key = '$value'\n";
Data Available in $_SERVER
Here’s a list of the values that may be stored in the $_SERVER array, depending on your PHP configuration/environment:
| PHP_SELF | The filename of the script being executed |
| argv | Array of arguments passed to the script |
| argc | Number of command line parameters passed to the script if run from command line |
| GATEWAY_INTERFACE | Revision of the CGI specification the server is using |
| SERVER_ADDR | The IP address of the server under which the PHP and script are executing |
| SERVER_NAME | The hostname of the server under which the PHP and script are executing |
| SERVER_SOFTWARE | Identification string given in headers when responding to requests |
| SERVER_PROTOCOL | Name/revision of the information protocol used in the request; e.g. ‘HTTP/1.0’ |
| REQUEST_METHOD | Request method used to access the script – ‘GET’, ‘HEAD’, ‘POST’ or ‘PUT’ |
| REQUEST_TIME | Timestamp of when the request was made |
| REQUEST_TIME_FLOAT | Timestamp of when the request was made – extra precision |
| QUERY_STRING | Query string, if present, from the URL used to access the script |
| DOCUMENT_ROOT | Root directory under which the script is executing- set in the PHP’s configuration file |
| HTTP_ACCEPT | Text of the Accept header from the request if present |
| HTTP_ACCEPT_CHARSET | Text of the Accept-Charset header from the request if present |
| HTTP_ACCEPT_ENCODING | Text of the Accept-Encoding header from the request if present |
| HTTP_ACCEPT_LANGUAGE | Text of the Accept-Language header from the request if present |
| HTTP_CONNECTION | Text of the Connection header from the request if present |
| HTTP_HOST | Text of the Host header from the request if present |
| HTTP_REFERER | If another page referred the user agent to this page, the address of the other page. As this is set by the party making the request, it is untrustworthy |
| HTTP_USER_AGENT | Text of the User-Agent header from the request, if present |
| HTTPS | Empty if the script was NOT queried through the HTTPS protocol |
| REMOTE_ADDR | IP address from which the request was made |
| REMOTE_HOST | Hostname from which the request was made |
| REMOTE_PORT | Port from which the request was made |
| REMOTE_USER | If authenticated via HTTP authentication, the authenticated user |
| REDIRECT_REMOTE_USER | The authenticated user if authenticated via HTTP authentication, and if the request was redirected internally |
| SCRIPT_FILENAME | The absolute path to the script being executed |
| SERVER_ADMIN | If running under the Apache web server, the value of the SERVER_ADMIN directive in the web server configuration |
| SERVER_PORT | Port the web server hosting PHP is running on |
| SERVER_SIGNATURE | If enabled, server version and virtual host name which are added to generated pages |
| PATH_TRANSLATED | Path to the executing script on the server file system (not relative to document root) |
| SCRIPT_NAME | The path to the executing script (As it appears in the URI) |
| REQUEST_URI | The full URI which was used to access the page |
| PHP_AUTH_DIGEST | Set to the Authorization header as sent by the client, if using digest HTTP authentication |
| PHP_AUTH_USER | When using HTTP authentication this variable is set to the provided username |
| PHP_AUTH_PW | When using HTTP authentication this variable is set to the provided password |
| AUTH_TYPE | When using HTTP authentication this variable is set to the provided authentication type |
| PATH_INFO | Any paths appended to the script filename preceding the query string |
| ORIG_PATH_INFO | PATH_INFO (above) before being processed by PHP |
For more information on what these values mean, check out the official PHP documentation.
