Web Development

Superglobals and Requests

$_GET, $_POST, $_SERVER, $_FILES, and $_COOKIE expose request data. Never trust raw input—validate and filter before use.

Use filter_input with FILTER_VALIDATE_EMAIL and friends for basic sanitation. Frameworks wrap superglobals in Request objects with richer APIs.

$_SERVER REQUEST_METHOD and REQUEST_URI drive routing in microframeworks.

• Prefer POST for mutating actions
• CSRF-protect state-changing forms
• Normalize UTF-8 input early

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
if ($email === false) {
    throw new ValidationException('Invalid email');
}

Sessions and Cookies

session_start() enables $_SESSION storage server-side with session cookies linking clients. Regenerate session ID on login against fixation attacks.

Set cookies with setcookie or framework helpers: HttpOnly, Secure, SameSite=Lax or Strict for auth tokens.

Store minimal data in sessions; large objects belong in databases keyed by session user ID.

• Expire sessions on logout and password change
• Do not store secrets in client-visible cookies
• Configure session.gc_maxlifetime appropriately

session_start();
$_SESSION['user_id'] = $user->id;
session_regenerate_id(true);

File Uploads and Responses

Inspect $_FILES for tmp_name, size, and error codes. Move uploads with move_uploaded_file to non-executable directories outside web root when possible.

Validate MIME types and extensions; generate random filenames. Virus scan when accepting user binaries.

Send redirects with header Location and exit; set status codes with http_response_code.

• Enforce maximum upload size in php.ini and app logic
• Never execute uploaded files
• Use Content-Disposition attachment for downloads