Hypertext Transfer Protocol (HTTP) is the language of the web. It is a request-response protocol, i.e., a web client such as a browser (e.g., Google Chrome, Firefox, Safari, etc.) asks for a page from a web server, which sends back the page as a response.
If you type
http://www.facebook.com into your browser, this is what the raw information sent as a request may look like:
GET / HTTP/1.1 Host: facebook.com User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* Referer:
It is made up of a request line (GET / HTTP/1.1), a number of header field lines named as
<key>: value (e.g.
Accept: */*), a single empty line and an optional body for any data payload (for example, query parameters or post data).
When the HTTP Request reaches a web server that is running PHP, it is then translated into some global variables for the PHP environment. Let us now turn our attention to these variables.
$_REQUEST is a superglobal variable. It is available in all scopes everywhere in a script as an associative array of the contents of
$_COOKIE variables. These variables in
$_REQUEST are made available through the GET, POST, and COOKIE input mechanisms. Potentially, they could be modified by a user and therefore cannot be trusted. The inclusion and order of variables listed in this array is defined by the PHP
variables_order configuration directive in the
variables_order directive sets the order in which the following variables are parsed - EGPCS (Environment, Get, Post, Cookie, and Server). It is a string made of the first letter of the variables. If any are left out, there will be no superglobal variable for the letter available. For example, if
variables_order is set to "SP", PHP will create the superglobals
$_COOKIE will not be created at all. If the
variables_order is set to
"", it effectively means no superglobals are set.
$_REQUEST holds any global data that is registered with the
request_order directive in the
php.ini file. The order of the data is similar to that of
variables_order directive. If
request_order is empty, PHP will use the value of
If the deprecated
register_globals directive is on, then
variables_order also configures the order the ENV, GET, POST, COOKIE and SERVER variables are populated in global scope. For example, if
variables_order is set to "EGPCS",
register_globals is enabled as well as both
$_POST['action'] are set, then
$action will contain the value of
$_POST['action'] as P comes after G in our example directive value.
A final observation in both the CGI and FastCGI SAPIs -
$_SERVER holds values from both the Environment and Server. Therefore, in such setups, S is always equivalent to ES regardless of the placement of E elsewhere in this directive. In fact, the E is effectively redundant in these situations.
From the preceding, we can observe many moving parts between a request and what eventually gets processed by the web server. The HttpFoundation component from the Symfony project crystallizes the HTTP specification into a uniform object-oriented layer with two prominent classes -
Request object sanitizes the incoming request and encapsulates it in a single object representing the HTTP request message. It also provides built-in methods for doing certain things, e.g.
isSecure(), and provides session-management through a
HTTP is a stateless protocol. In order to deliver a simple web page, there may be hundreds of HTTP requests. Different web technologies have different approaches to dealing with this situation, e.g. Node.js and Ruby. Drupal 8 is built on a PHP solution provided by the HttpFoundation component from Symfony.