This simply means that it is available in all scopes throughout a script.
All HTTP headers sent to the script are made available through the $_SERVER array, with names prefixed by 'HTTP_'.3. If login.php/nearly_arbitrary_string is requested, $_SERVER['PHP_SELF'] will contain not just login.php, but the entire login.php/nearly_arbitrary_string.
If you've printed $_SERVER['PHP_SELF'] as the value of the action attribute of your form tag without performing HTML encoding, an attacker can perform XSS attacks by offering users a link to your site such as this: tag an external file, with the submitted username and password as parameters.
Use $_SERVER['SCRIPT_NAME'] instead of $_SERVER['PHP_SELF']. HTML encode every string sent to the browser that should not be interpreted as HTML, unless you are absolutely certain that it cannot contain anything that the browser can interpret as HTML.
When called via the GET method, this will contain the query string.
in order to get the physical (real) port, otherwise, this value can be spoofed and it may or may not return the physical port value.
It is not safe to rely on this value in security-dependent contexts.
Note: This is a 'superglobal', or automatic global, variable.
is an array containing information such as headers, paths, and script locations.
The entries in this array are created by the web server.
There is no guarantee that every web server will provide any of these; servers may omit some, or provide others not listed here.
That said, a large number of these variables are accounted for in the » CGI/1.1 specification, so you should be able to expect those. When the script is run on the command line, this gives C-style access to the command line parameters.