Hypertext Transfer Protocol (HTTP) is the language of the web. It is a request-response protocol, i.e., a web client such as a browser (e.g., Google Chrome, Firefox, Safari, etc.) asks for a page from a web server, which sends back the page as a response.

If you type http://www.facebook.com into your browser, this is what the raw information sent as a request may look like:

GET / HTTP/1.1
Host: facebook.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*

It is made up of a request line (GET / HTTP/1.1), a number of header field lines named as <key>: value (e.g. Accept: */*), a single empty line and an optional body for any data payload (for example, query parameters or post data).

When the HTTP Request reaches a web server that is running PHP, it is then translated into some global variables for the PHP environment. Let us now turn our attention to these variables.

$_REQUEST is a superglobal variable. It is available in all scopes everywhere in a script as an associative array of the contents of $_GET, $_POST and $_COOKIE variables. These variables in $_REQUEST are made available through the GET, POST, and COOKIE input mechanisms. Potentially, they could be modified by a user and therefore cannot be trusted. The inclusion and order of variables listed in this array is defined by the PHP variables_order configuration directive in the php.ini file.

PHP Superglobals

PHP Superglobals

The variables_order directive sets the order in which the following variables are parsed - EGPCS (Environment, Get, Post, Cookie, and Server). It is a string made of the first letter of the variables. If any are left out, there will be no superglobal variable for the letter available. For example, if variables_order is set to "SP", PHP will create the superglobals $_SERVER and $_POST, but $_ENV, $_GET, and $_COOKIE will not be created at all. If the variables_order is set to "", it effectively means no superglobals are set.

$_REQUEST holds any global data that is registered with the request_order directive in the php.ini file. The order of the data is similar to that of variables_order directive. If request_order is empty, PHP will use the value of variables_order.

If the deprecated register_globals directive is on, then variables_order also configures the order the ENV, GET, POST, COOKIE and SERVER variables are populated in global scope. For example, if variables_order is set to "EGPCS", register_globals is enabled as well as both $_GET['action'] and $_POST['action'] are set, then $action will contain the value of $_POST['action'] as P comes after G in our example directive value.

A final observation in both the CGI and FastCGI SAPIs - $_SERVER holds values from both the Environment and Server. Therefore, in such setups, S is always equivalent to ES regardless of the placement of E elsewhere in this directive. In fact, the E is effectively redundant in these situations.

From the preceding, we can observe many moving parts between a request and what eventually gets processed by the web server. The HttpFoundation component from the Symfony project crystallizes the HTTP specification into a uniform object-oriented layer with two prominent classes - Request and Response. The Request object sanitizes the incoming request and encapsulates it in a single object representing the HTTP request message. It also provides built-in methods for doing certain things, e.g. isSecure(), and provides session-management through a Session object.


HTTP is a stateless protocol. In order to deliver a simple web page, there may be hundreds of HTTP requests. Different web technologies have different approaches to dealing with this situation, e.g. Node.js and Ruby. Drupal 8 is built on a PHP solution provided by the HttpFoundation component from Symfony.

Further reading

  1. RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1 - IETF Tools
  2. The HttpFoundation Component