Last Updated:

$_SERVER in PHP | Superglobals

To process information related to the operation of the web server or sent by the user to the PHP, super variables are provided, which should be accessed in the same way as arrays. These include $_GET and $_POST that process the data received through GET and POST requests, respectively.

The number of elements included in them depends on the specific requests, while $_SERVER, with which, for example, you can find out the User-Agent, the number of pairs "name value" exceeds several dozen.

Through $_SERVER, you can work with information received both from the client browser and issued by the operating system or server program used to run the script. Depending on the software used, there may be indexes not specified in the official documentation and, conversely, there may be no elements listed in the PHP reference.

Description of the super massage <? $_SERVER[‘ELEMENT’] ?>


$_SERVER was introduced in the fourth version, significantly redesigned in the 4.1.0 specification and continues to be supported, supplemented by new indexes, in modern versions. As at the time of its appearance, now this feature of the language is used in a wide variety of scenarios: from the simple output of information such as "we know your User-Agent" to tasks related to the security of not only visitors, but also the website itself.

Some elements return different results than those provided in normal mode when running PHP programs on the command line. Despite the fact that when creating the language, this launcher was not planned to be supported, the option is still possible and is often used by the creators of parser programs that serve to receive and process information from other sites.

To obtain the data output by a certain index, you should output them, as in the case of simple arrays. Example:

<?echo $_SERVER[‘DOCUMENT_ROOT’]; ?>.

When using this function, which can be shortened to <?=$_SERVER['DOCUMENT_ROOT']; ?>, an absolute path to the "root of the site" visible to visitors will be displayed - the directory of the public_html, often represented by a shortcut to the private_html directory.

Elements Overview

Most of the components presented below are described in the CGI/1.1 classification, so if you read it, it will seem easier to remember the indexes, although they already have simple names.


Returns the name of the script currently playing, along with the directories as the user sees them. To get the absolute path to the executable program, you need to use this index together with the DOCUMENT_ROOT, inserting a point between the calls to super variables.

If you use the PHP_SELF call together with the magic constant __FILE__, the result will be identical to the result of the above decision, which involves the use of two indices. The time difference when using this or the previous option is insignificant, but if you want to optimize the code as much as possible, this method is suitable.


When you use $_SERVER['argv'], as in the case of $argv, you can get a list of arguments that the specified script works with. If you specify a function or access a supermassive in the console, a list of command-line options similar to that offered in C will open.


It works in a similar way with $argv, but instead of an array, it gives the number of parameters used, allowing you not to use the count() function; and, thereby, saving time when interpreting.


Retrieves information about the CGI specification supported by the server. It is extremely useful for adding conditions to if-elseif-else before scripts that require this parameter.


Displays the IP of the server running the program, but not the user's address. From a security perspective, validation using this index provides low but still noteworthy protection against malicious code copying.

If you plan to add a condition that the program works when the real IP matches the specified one, it is recommended to display the verifiable value in a global variable so that in the event of a "move" to another hosting, you do not edit each file separately, losing the uptime of the site in addition to the costs caused by editing DNS records and migrating configurations.


Gives the hostname where the script is executed. If the site is running on a virtual machine, the name of the virtual machine will be displayed, not the name of the dedicated server. A note for Apache 2 users is manifested in the need to set the requirement to use a "canonical" name in the software settings. If you do not do this, the value may be spoofed by the client, causing security issues.


The name and version of the app on which the site runs. Among the common solutions compatible with PHP, there are Apache, nginx, XAMPP and similar developments suitable for any purpose - according to statistics from Wappalyzer, they are used everywhere: from personal blogs to the largest companies.

To avoid attacks, it is advised to hide the value of this parameter from users or even forge it. For example, if you specify somewhere that the site runs on nginx, this will protect the resource on Apache, since hackers will try to use hacking methods incompatible at the code level of this program.

In addition, it is recommended to limit the issuance of information issued on, for example, standard PAGES of HTTP errors. The parameter set in the server configuration in Apache is the .htaccess file.


Indicates which method was used to access the page. One of the most commonly used elements presented in this article. Basically, $_SERVER['REQUEST_METHOD'] is used in form handlers that are displayed in separate files.

If users find out the links to them, then, if the protocols do not match, they are likely to see a white screen, which is a flaw in terms of user experience, corrected by an error message or, slightly worse than this option, a redirect to another page.

If the script is accessed via HTTPHEAD, the program will be processed after the headers are sent. In the response, the function outputs a method name written in large letters:

  • GET,
  • POST,
  • OPTIONS and the like.


Through $_SERVER['REQUEST_TIME'], you can get a timestamp indicating when the server began processing the HTTP request sent by the user. One of the options for using this index is represented by analyzing the speed of the script and the server as a whole. The advantage over microtime(); is that the array element checks not only the speed of the program, but also the response time of the site.


It does the same as the above index, except for a more accurate time output - according to the results of the program, a floating-point number will be displayed. In other words, this array component returns the time elapsed since the client request was received, adjusted for microseconds.


Displays the data passed after the question mark in the address bar. The information passed to GET has a limited length of up to 2048 characters. Due to the preservation of the parameters sent by this method in the browser history and the possible transfer to application developers of a list of frequently visited resources, the method is not recommended for sending confidential information, which include passwords and logins, payment details.

Because the client uses a URL to provide the server with any additional information than that specified by the browser, it is not necessary to access most pages, the value of this component may be empty.


Specifies the absolute path to the root directory of the site, visible to visitors and used on the front-side. Correct operation of the resource is ensured if the value of $_SERVER['DOCUMENT_ROOT'] matches what is specified in the server settings.


Information about the technologies, headers, protocols available to the user's browser. It is used mainly for checks when switching the client to the full, lightweight or mobile version of the site, or issuing errors about the impossibility of using the resource due to the incompatibility of the application with certain functionality.


Returns the contents of the Accept-Charset header indicating the encodings to be accepted. There can be several of them, so to switch this indicator, it is advised to use conditions tied to the results of the execution of strpos(); or strstr();.


Among novice programmers, this parameter is often confused with the one mentioned above. $_SERVER ['HTTP_ACCEPT_ENCODING'] is responsible for handling the Accept-Encoding HTTP header sent by the client, which shows the available ways to compress information to speed up page loading.


The parameter is guided by the user's browser when the page is opened and contains several languages with different coefficients that indicate what percentage is the probability of the user giving preference in favor of the specified localization. Values are calculated by the client software based on its own parameters and system settings, analysis of visited resources (if allowed).


The type of connection preferred by the user. Read from the Connection header. The most common option: keep-alive.

Protection built on HTTP_CONNECTION will protect against abuse of access to any program or, more simply, exclude flood requests, when interacting with checks on others.


Shows the data that came with the Host header.


Displays the source site from which the user came. There are add-ons that remove it, and some browsers have built-in functionality for replacing the REFERER value, so you should not set any important results of checks based on $_SERVER['HTTP_REFERER'].
It is possible to protect the server from mass requests coming from a certain address and known by REFERER, but protection of this kind will be ineffective for the above reason, even if you set it at the level of a settings file of the .htaccess type.


Another frequently used element of the array is used to obtain data about the browser and system that the client uses. Among the frequent options for the use of brightly stand out:

  • determining whether the device is mobile;
  • understand the version of the software to display warnings in case any applications are outdated,
  • defining links to download specific content to enhance "userexperience".

A more practical option to understand whether the user is using a smartphone, tablet, or prefers stationary devices is to determine the orientation of the screen and its resolution, which is possible not only by means of JavaScript, but also by means of CSS, which is not considered a programming language, but serves to add to the design.


Displays whether the connection was established using the HTTPS protocol protected from tracking by network owners, or whether HTTP was used.


Gets the custom IP address. It is impossible to obtain data on the type of provider to which it is controlled, or approximate geolocation, using built-in tools, but there are solutions in the form of their own databases or sites offered by the community. One of the best among the free services is the, which provides data in the form of PHP, JSON and other types of arrays.


Gives the page where the visitor is located available for use on the client-side address relative to the root directory. There are other indices, a more detailed list is presented on the official portal.

HTTP Authorization

PHP supports authorization with the output of the corresponding windows directly in the browser and further processing using super variables. Despite the greater convenience in protecting an entire directory by means of .htaccess or similar files (depending on the software), the option of installing a system of logins and passwords using this language is acceptable.

The submitted information is stored in the following indexes:

  • PHP_AUTH_DIGEST is a flag that indicates whether the page is protected. If the value is "Authorization", further functionality is activated to check the "login:password" pair entered by the client;
  • PHP_AUTH_USER – the login specified in the window;
  • PHP_AUTH_PW – the password provided;
  • AUTH_TYPE is a type of authorization, common values are Digest and Basic.

Encryption is supported, including with the help of SHA-1, which increases the safety of user data. A file with confidential information is advised to be blocked from ordinary visitors using .htaccess or other methods, including through checking by defined();.


Get the absolute path to the file


This option involves using two array indexes to find out the absolute location of the document. The path can be entered manually, but this will cause problems when moving the resource to another hosting, if you do not create exactly the same folders.

Output of all information

<?var_dump($_SERVER); ?>

All data available for retrieval stored in the super variable can be obtained by the var_dump();. Some of the information provided in this way should never be shared with users, as this increases the vulnerability of the Web server. The content is sufficient for debugging and should only be displayed to resource administrators.


PHP has implemented powerful tools that expand the scope of the language. The $_SERVER considered is only a fraction of the predefined variables that increase interest in learning programming.