PHP Superglobal – $_REQUEST

Handling Form Data in PHP | A Comprehensive Guide to $_GET, $_POST, and Form Security

Introduction:

Learn how to effectively handle form data in PHP using superglobal arrays $_GET and $_POST. This comprehensive guide covers best practices, security considerations, and essential techniques for building robust web applications.

PHP, $_REQUEST

In PHP, $_REQUEST is a superglobal array that is used to collect data from HTML forms with the method attribute set to “post” or “get,” or from the URL parameters. It merges the content of $_GET, $_POST, and $_COOKIE arrays into one associative array.

Here’s a brief explanation of the three arrays:

$_GET:

An associative array of variables passed to the current script via the URL parameters (HTTP GET method).

$_POST:

An associative array of variables passed to the current script via the HTTP POST method when using forms with method=”post”.

$_COOKIE:

An associative array of variables passed to the current script via HTTP Cookies.

• $_REQUEST allows you to access data regardless of the request method used (GET or POST), and it automatically takes care of the merging process.
• However, relying on $_REQUEST is not always recommended because it makes the code less clear and could lead to security issues, especially if you are not aware of the data sources.

Example usage:

<?php
// Assuming the form has a text input with the name attribute set to "username"
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$username = $_REQUEST['username'];
echo "Hello, $username!";
}
?>

<!-- HTML form -->
<form method="post" action="">
<label for="username">Username:</label>
<input type="text" name="username" id="username">
<input type="submit" value="Submit">
</form>

• In the example above, when the form is submitted, the PHP script checks if the request method is POST and then retrieves the value of the “username” field from $_REQUEST.
• It’s essential to validate and sanitize user input to prevent security vulnerabilities such as SQL injection or cross-site scripting (XSS).

complete example: create a simple HTML form with PHP

• let’s create a simple HTML form with PHP that takes a user’s name as input and displays a greeting message.
• This example will use the $_REQUEST superglobal to retrieve the input data.

Create an HTML file (e.g., index.html):

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>PHP Form Example</title>
</head>
<body>

<h1>Greetings Form</h1>

<!-- HTML form with method="post" -->
<form method="post" action="greet.php">
<label for="username">Your Name:</label>
<input type="text" name="username" id="username" required>
<input type="submit" value="Submit">
</form>

</body>
</html>

In this HTML file:

• The form has the method attribute set to “post,” indicating that the form data will be sent using the POST method.
• The form has an input field with the name attribute set to “username.” This is the field where the user will input their name.
• The form uses the “required” attribute to ensure that the user must fill in the name field before submitting the form.
• The form’s action attribute is set to “greet.php,” which is the PHP script that will handle the form submission.

Create a PHP file (e.g., greet.php):

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Retrieve the username from the form data using $_REQUEST
$username = $_REQUEST['username'];

// Display a greeting message
echo "Hello, $username! Welcome to our website.";
} else {
// If accessed directly without submitting the form
echo "Please submit the form.";
}
?>

In this PHP file:

• It checks if the request method is POST using $_SERVER[‘REQUEST_METHOD’].
• If it is a POST request, it retrieves the username from the form data using $_REQUEST.
• It then displays a greeting message containing the user’s name.
• If accessed directly without submitting the form, it prompts the user to submit the form.
• Now, when you open the index.html file in a web browser, you’ll see a form where you can enter your name.
• After submitting the form, you’ll be redirected to the greet.php script, which will display a greeting message.

Uses of PHP – $_REQUEST:with examples and explanation

• The $_REQUEST variable in PHP is a superglobal array that is used to collect data from HTML forms.
• It merges the content of $_GET, $_POST, and $_COOKIE arrays into one associative array.

Here are some use cases and examples of when and how to use $_REQUEST:

Processing Form Data:

You can use $_REQUEST to handle form submissions, regardless of whether the form uses the GET or POST method.

This can make your code more flexible and handle form data in a unified way.

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$username = $_REQUEST['username'];
echo "Hello, $username!";
}
?>

• In this example, the PHP script checks if the form was submitted using the POST method.
• It then retrieves the value of the “username” field from $_REQUEST and displays a greeting message.

Accessing URL Parameters:

• If you have parameters in the URL (e.g., example.com/page.php?param=value), you can use $_REQUEST to access them.
• However, it’s important to validate and sanitize input to prevent security vulnerabilities.

<?php
$paramValue = $_REQUEST['param'];
echo "Parameter Value: $paramValue";
?>

Here, the script retrieves the value of the “param” parameter from the URL using $_REQUEST.

Handling Cookies:

$_REQUEST includes data from cookies as well. You can use it to access cookie values.

<?php
$cookieValue = $_REQUEST['cookie_name'];
echo "Cookie Value: $cookieValue";
?>

This example retrieves the value of a cookie named “cookie_name” using $_REQUEST.

Handling Hybrid Forms:

In some cases, you might have forms that use both GET and POST methods. Using $_REQUEST can simplify handling data from such hybrid forms.

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$username = $_REQUEST['username'];
$email = $_REQUEST['email'];
// Process the form data
}
?>

Here, the script processes both “username” and “email” fields, regardless of whether they were submitted using GET or POST.

• While $_REQUEST provides a convenient way to access data from different sources, it’s essential to be cautious. Mixing data from various sources can lead to security vulnerabilities. It’s often recommended to use $_GET or $_POST explicitly based on the expected source of the data, making the code more readable and secure.
• Additionally, always validate and sanitize user input to prevent common security risks.

Processing Form Data:complete example 

• Let’s create a simple HTML form that collects a user’s name and processes the data using PHP.
• This example will use the $_REQUEST superglobal to handle form submissions, making it flexible to both GET and POST methods.

Create an HTML file (e.g., form_example.html):

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Form Processing Example</title>
</head>
<body>

<h1>User Greeting Form</h1>

<!-- HTML form with method="post" -->
<form method="post" action="process_form.php">
<label for="username">Your Name:</label>
<input type="text" name="username" id="username" required>
<input type="submit" value="Submit">
</form>

</body>
</html>

In this HTML file:

• The form has the method attribute set to “post,” indicating that the form data will be sent using the POST method.
• The form has an input field with the name attribute set to “username.” This is the field where the user will input their name.
• The form uses the “required” attribute to ensure that the user must fill in the name field before submitting the form.
• The form’s action attribute is set to “process_form.php,” which is the PHP script that will handle the form submission.

Create a PHP file (e.g., process_form.php):

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Retrieve the username from the form data using $_REQUEST
$username = $_REQUEST['username'];

// Display a greeting message
echo "Hello, $username! Thank you for submitting the form.";
} else {
// If accessed directly without submitting the form
echo "Please submit the form.";
}
?>

In this PHP file:

• It checks if the request method is POST using $_SERVER[‘REQUEST_METHOD’].
• If it is a POST request, it retrieves the username from the form data using $_REQUEST.
• It then displays a greeting message containing the user’s name.
• If accessed directly without submitting the form, it prompts the user to submit the form.
• Now, when you open the form_example.html file in a web browser, you’ll see a form where you can enter your name.
• After submitting the form, you’ll be redirected to the process_form.php script, which will display a greeting message based on the entered name.
• The use of $_REQUEST makes it flexible to handle form data regardless of the submission method (GET or POST).

Accessing URL Parameters:complete example 

• let’s create an example where we retrieve and display a parameter from the URL using PHP.
• This example will showcase the usage of $_REQUEST to access URL parameters.

Create an HTML file (e.g., url_parameter_example.html):

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>URL Parameter Example</title>
</head>
<body>

<h1>URL Parameter Example</h1>

<p>This page displays a parameter from the URL.</p>

</body>
</html>

This HTML file serves as a simple page where we will display the parameter retrieved from the URL.

Create a PHP file (e.g., display_parameter.php):

<?php
// Check if the parameter is set in the URL
if (isset($_REQUEST['param'])) {
// Retrieve the parameter from the URL using $_REQUEST
$paramValue = $_REQUEST['param'];

// Display the parameter value
echo "<p>Parameter Value: $paramValue</p>";
} else {
// If the parameter is not set in the URL
echo "<p>No parameter found in the URL.</p>";
}
?>

In this PHP file:

• It checks if the parameter named “param” is set in the URL using isset($_REQUEST[‘param’]).
• If the parameter is set, it retrieves the parameter value using $_REQUEST[‘param’].
• It then displays the parameter value.
• If the parameter is not set, it displays a message indicating that no parameter was found in the URL.
• Now, create a URL with the parameter. You can manually add the parameter to the URL or create a link from another page. For example, accessing display_parameter.php?param=HelloWorld in your browser.
• By visiting display_parameter.php?param=HelloWorld, you should see a message displaying the parameter value “HelloWorld.” If you access display_parameter.php without the parameter, it will show a message stating that no parameter was found.

This example demonstrates how to use $_REQUEST to access URL parameters, providing flexibility to handle parameters from both GET and POST methods. However, it’s important to validate and sanitize input to ensure security in a real-world application.

Handling Cookies:complete example 

• Let’s create an example where we retrieve and display a cookie value using PHP.
• This example will showcase the usage of $_REQUEST to access cookie values.

Create an HTML file (e.g., cookie_example.html):

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Cookie Example</title>
</head>
<body>

<h1>Cookie Example</h1>

<p>This page displays a value from a cookie.</p>

</body>
</html>

This HTML file serves as a simple page where we will display the value of a cookie.

Create a PHP file (e.g., display_cookie.php):

<?php
// Check if the cookie is set
if (isset($_REQUEST['cookie_name'])) {
// Retrieve the cookie value using $_REQUEST
$cookieValue = $_REQUEST['cookie_name'];

// Display the cookie value
echo "<p>Cookie Value: $cookieValue</p>";
} else {
// If the cookie is not set
echo "<p>No cookie found.</p>";
}
?>

In this PHP file:

• It checks if the cookie named “cookie_name” is set using isset($_REQUEST[‘cookie_name’]).
• If the cookie is set, it retrieves the cookie value using $_REQUEST[‘cookie_name’].
• It then displays the cookie value.
• If the cookie is not set, it displays a message indicating that no cookie was found.
• Set a cookie value.

You can manually set a cookie using JavaScript or set it from another server-side script.

For example, set a cookie using JavaScript:

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Set Cookie Example</title>
</head>
<body>

<h1>Set Cookie Example</h1>

<script>
// Set a cookie with the name "cookie_name" and value "HelloCookie"
document.cookie = "cookie_name=HelloCookie";
</script>

<p>Cookie has been set. <a href="display_cookie.php">View Cookie</a></p>

</body>
</html>

In this JavaScript code:

• It sets a cookie named “cookie_name” with the value “HelloCookie.”
• Visit the display_cookie.php page.
• You can do this by clicking the “View Cookie” link from the set_cookie.html page.
• By visiting display_cookie.php, you should see a message displaying the value of the cookie “cookie_name” if it has been set.
• If the cookie is not set, it will display a message indicating that no cookie was found.

This example demonstrates how to use $_REQUEST to access cookie values. However, in practical scenarios, cookies are often set and retrieved using JavaScript on the client side and sent to the server with each request.

Handling Hybrid Forms:complete example 

• Let’s create an example where we handle a hybrid form, which means the form can be submitted using both the GET and POST methods.
• This example will showcase the usage of $_REQUEST to process form data regardless of the submission method.

Create an HTML file (e.g., hybrid_form_example.html):

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Hybrid Form Example</title>
</head>
<body>

<h1>Hybrid Form Example</h1>

<!-- HTML form with method="post" -->
<form method="post" action="process_hybrid_form.php">
<label for="username">Your Name:</label>
<input type="text" name="username" id="username" required>
<input type="submit" value="Submit">
</form>

<!-- HTML form with method="get" -->
<form method="get" action="process_hybrid_form.php">
<label for="email">Your Email:</label>
<input type="email" name="email" id="email" required>
<input type="submit" value="Submit">
</form>

</body>
</html>

In this HTML file:

• Two forms are included on the page—one with the method attribute set to “post” and the other set to “get.”
• Each form has its own set of input fields (name and email).
• The forms both submit data to the same processing script (process_hybrid_form.php).

Create a PHP file (e.g., process_hybrid_form.php):

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST' || $_SERVER['REQUEST_METHOD'] == 'GET') {
// Retrieve the data from the form using $_REQUEST
$username = $_REQUEST['username'] ?? '';
$email = $_REQUEST['email'] ?? '';

// Display a message based on the submitted data
if (!empty($username)) {
echo "Hello, $username!";
}

if (!empty($email)) {
echo "Your email is: $email";
}
} else {
// If accessed directly without submitting the form
echo "Please submit the form.";
}
?>

In this PHP file:

• It checks if the request method is either POST or GET using $_SERVER[‘REQUEST_METHOD’].
• It retrieves the data from the form using $_REQUEST based on the form’s submission method.
• It displays a greeting message if the “username” field is submitted and an email message if the “email” field is submitted.
• If accessed directly without submitting the form, it prompts the user to submit the form.

Now, when you open the hybrid_form_example.html file in a web browser, you’ll see two forms—one for entering a name and another for entering an email address. Submitting either form will take you to the process_hybrid_form.php script, which will process the submitted data and display a relevant message. The use of $_REQUEST allows for handling hybrid forms with different submission methods.

Using $_REQUEST on $_POST Requests

• While using $_REQUEST for handling both $_GET and $_POST requests is possible, it’s generally recommended to use $_POST directly for handling form submissions.
• The reason for this recommendation is that it helps improve code readability, reduces potential security risks, and aligns with best practices for handling different types of requests.

Here’s an example of how you might handle a $_POST request directly:

Create an HTML file (e.g., post_form_example.html):

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>POST Form Example</title>
</head>
<body>

<h1>POST Form Example</h1>

<!-- HTML form with method="post" -->
<form method="post" action="process_post_form.php">
<label for="username">Your Name:</label>
<input type="text" name="username" id="username" required>
<input type="submit" value="Submit">
</form>

</body>
</html>

Create a PHP file (e.g., process_post_form.php):

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Retrieve the data from the form using $_POST
$username = $_POST['username'] ?? '';

// Display a greeting message
echo "Hello, $username!";
} else {
// If accessed directly without submitting the form
echo "Please submit the form.";
}
?>

• In this example, we use $_POST directly to retrieve the form data.
• This is considered a good practice because it explicitly indicates that we are expecting data from a form submission, and it avoids potential conflicts or security issues that might arise from using $_REQUEST.

While $_REQUEST is still available and can handle both $_GET and $_POST data, it’s recommended to use specific superglobals like $_GET or $_POST based on the expected data source.This approach makes the code more readable and reduces the risk of unintentional conflicts or vulnerabilities.

Using $_REQUEST on $_GET Requests

• Using $_REQUEST for handling $_GET requests is possible, but it is generally recommended to use $_GET directly.
• The reason is similar to the recommendation for handling $_POST requests—it improves code readability, reduces potential security risks, and aligns with best practices.

Here’s an example of how you might handle a $_GET request directly:

Create an HTML file (e.g., get_request_example.html):

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>GET Request Example</title>
</head>
<body>

<h1>GET Request Example</h1>

<!-- HTML form with method="get" -->
<form method="get" action="process_get_request.php">
<label for="username">Your Name:</label>
<input type="text" name="username" id="username" required>
<input type="submit" value="Submit">
</form>

</body>
</html>

Create a PHP file (e.g., process_get_request.php):

<?php
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
// Retrieve the data from the form using $_GET
$username = $_GET['username'] ?? '';

// Display a greeting message
echo "Hello, $username!";
} else {
// If accessed directly without submitting the form
echo "Please submit the form.";
}
?>

• In this example, we use $_GET directly to retrieve the form data.
• This explicitly indicates that we are expecting data from a GET request. Using $_GET is more precise and avoids potential conflicts or security issues that might arise from using $_REQUEST.

While $_REQUEST can handle both $_GET and $_POST data, using specific superglobals like $_GET or $_POST based on the expected data source is considered a good practice. It enhances code clarity and reduces the risk of unintentional conflicts or vulnerabilities.

ِAn application:Form Handling Application

• Let’s create a simple PHP application that demonstrates the handling of both $_GET and $_POST requests using separate PHP files for each method.
• This application will consist of an HTML form to collect user data and two PHP files to process the form submissions—one for $_GET requests and another for $_POST requests.

Create the HTML form (index.html):

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Form Handling Application</title>
</head>
<body>

<h1>Form Handling Application</h1>

<!-- HTML form with method="get" -->
<form method="get" action="process_get.php">
<label for="get_username">Your Name (GET):</label>
<input type="text" name="get_username" id="get_username" required>
<input type="submit" value="Submit (GET)">
</form>

<!-- HTML form with method="post" -->
<form method="post" action="process_post.php">
<label for="post_username">Your Name (POST):</label>
<input type="text" name="post_username" id="post_username" required>
<input type="submit" value="Submit (POST)">
</form>

</body>
</html>

In this HTML file, we have two forms—one for $_GET requests and another for $_POST requests. Each form has an input field to collect the user’s name.

Create the PHP file for processing $_GET requests (process_get.php):

<?php
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
// Retrieve the data from the form using $_GET
$get_username = $_GET['get_username'] ?? '';

// Display a greeting message for GET requests
echo "Hello, $get_username! This message is from the GET request.";
} else {
// If accessed directly without submitting the form
echo "Please submit the form.";
}
?>

• In this PHP file, we check if the request method is GET and retrieve the user’s name from the $_GET superglobal.
• We then display a greeting message for $_GET requests.

Create the PHP file for processing $_POST requests (process_post.php):

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Retrieve the data from the form using $_POST
$post_username = $_POST['post_username'] ?? '';

// Display a greeting message for POST requests
echo "Hello, $post_username! This message is from the POST request.";
} else {
// If accessed directly without submitting the form
echo "Please submit the form.";
}
?>

• In this PHP file, we check if the request method is POST and retrieve the user’s name from the $_POST superglobal. We then display a greeting message for $_POST requests.

Now, when you open the index.html file in a web browser, you’ll see two forms—one for $_GET requests and another for $_POST requests. After submitting each form, you’ll be redirected to the respective PHP file (process_get.php or process_post.php), which will display a greeting message based on the submitted data and request method.

Quiz about the $_REQUEST superglobal in PHP:15 questions 

Quiz Questions:

1-What is the purpose of the $_REQUEST superglobal in PHP?

A) To retrieve data from HTML forms submitted using the POST method.
B) To retrieve data from HTML forms submitted using the GET method.
C) To merge data from both POST and GET methods into one array.
D) To retrieve data from URL parameters.
Explanation: C) $_REQUEST is used to merge data from both POST and GET methods into one array.

2-Which superglobal should be used to retrieve data from HTML forms submitted using the POST method?

A) $_POST
B) $_GET
C) $_REQUEST
D) $_FORM
Explanation: A) $_POST is specifically used to retrieve data from HTML forms submitted using the POST method.

3-In PHP, which method is commonly used to send form data securely without exposing it in the URL?

A) GET
B) POST
C) REQUEST
D) FORM
Explanation: B) The POST method is commonly used to send form data securely without exposing it in the URL.

4-What is the purpose of the required attribute in an HTML form input field?

A) It ensures that the input field is read-only.
B) It ensures that the input field must be filled out before submitting the form.
C) It sets a default value for the input field.
D) It makes the input field optional.
Explanation: B) The required attribute ensures that the input field must be filled out before submitting the form.

5-Which superglobal array contains data from the URL parameters?

A) $_GET
B) $_POST
C) $_REQUEST
D) $_URL
Explanation: A) $_GET contains data from the URL parameters.

6-Why is it recommended to use $_POST instead of $_REQUEST for handling form submissions?

A) $_POST is more secure and prevents potential security vulnerabilities.
B) $_POST is easier to use.
C) $_POST is the only superglobal for handling form submissions.
D) $_REQUEST is deprecated.
Explanation: A) $_POST is more secure and prevents potential security vulnerabilities, making it a better choice for handling form submissions.

7-Which superglobal array contains data from cookies?

A) $_COOKIE
B) $_COOK
C) $_SESSION
D) $_REQUEST
Explanation: A) $_COOKIE contains data from cookies.

8-What is the purpose of validating and sanitizing user input in PHP?

A) To make the code shorter.
B) To enhance code readability.
C) To prevent security vulnerabilities such as SQL injection or cross-site scripting (XSS).
D) To speed up the execution of PHP scripts.
Explanation: C) Validating and sanitizing user input helps prevent security vulnerabilities such as SQL injection or cross-site scripting (XSS).

9-In the context of HTML forms, what does CSRF stand for?

A) Cross-Site Request Forgery
B) Common Server Request Format
C) Cross-Site Request Form
D) Code Security Request Framework
Explanation: A) CSRF stands for Cross-Site Request Forgery.

10-Which method attribute in an HTML form is used to send form data as a query string appended to the URL?

A) POST
B) GET
C) REQUEST
D) QUERY
Explanation: B) The GET method is used to send form data as a query string appended to the URL.

11-What is the primary difference between $_GET and $_POST in PHP?

A) $_GET is used for secure data transmission, while $_POST is used for insecure data transmission.
B) $_GET appends data to the URL, while $_POST sends data in the request body.
C) $_GET is only used for form submissions, while $_POST is used for URL parameters.
D) There is no difference; they can be used interchangeably.
Explanation: B) $_GET appends data to the URL, while $_POST sends data in the request body.

12-When using PHP to handle form submissions, what is SQL injection, and how can it be prevented?

A) SQL injection is a method to speed up database queries. It can be prevented by using a faster database engine.
B) SQL injection is a security vulnerability where attackers insert malicious SQL code into input fields. It can be prevented by using prepared statements or parameterized queries.
C) SQL injection is a technique to manipulate cookies. It can be prevented by encrypting cookie data.
D) SQL injection is a way to bypass form validation. It can be prevented by increasing form validation complexity.
Explanation: B) SQL injection is a security vulnerability where attackers insert malicious SQL code into input fields. It can be prevented by using prepared statements or parameterized queries.

13-Why is it important to validate and sanitize user input even when using $_POST or $_COOKIE data?

A) Validation and sanitization are only necessary for $_GET data.
B) $_POST and $_COOKIE data are inherently secure and do not require validation.
C) User input can be manipulated or contain malicious content, leading to security vulnerabilities.
D) PHP automatically validates and sanitizes all incoming data.
Explanation: C) User input can be manipulated or contain malicious content, leading to security vulnerabilities.

14-In PHP, what function is commonly used for sanitizing user input to prevent cross-site scripting (XSS) attacks?

A) htmlspecialchars()
B) urlencode()
C) strip_tags()
D) htmlentities()
Explanation: A) htmlspecialchars() is commonly used for sanitizing user input to prevent cross-site scripting (XSS) attacks.

15-What is the purpose of the $_FILES superglobal in PHP?

A) To retrieve data from cookies.
B) To handle file uploads in HTML forms.
C) To access data from the URL parameters.
D) To store session data.
Explanation: B) The $_FILES superglobal is used to handle file uploads in HTML forms.