Variable Precedence and Initialization

When a script starts, the initial values for global variables come from one of several sources, in order of decreasing precedence:

• URL state EXPORTed variables from the URL.

• State table EXPORTed variables from the state table.

• Command line Variables initialized on the command line.

• Environment Environment variables set by the server, such as $REMOTE_ADDR.

• HTTP cookies The value of any HTTP cookies sent by the Web client.

• URL Ordinary URL variables given in the query string of the URL (i.e. via the GET method on a form, or EXPORT QUERY variables).

• Content Query-string style variables given in the content (i.e. the POST method on a form). These could also be multipart MIME variables from a form upload (p here).

These sources are checked in decreasing order: the first source that has values for a given variable will be used. Only values from this first (highest precedence) source will be used to initialize the global variable. If none of these sources has a value for the variable, it has no initial values.

Because of this ordering, lower-precedence values cannot override higher ones when more than one source has values for the same variable. An EXPORTed state variable will always have its state value rather than the value from a form if both are given; the form value is only used if no state was saved. An environment variable like $REMOTE_ADDR will be used rather than a URL variable of the same name. This helps prevent (un)intentional manipulation of a script's variables by the Web client: more "trusted" sources are used before less "trusted" ones.

This precedence ordering can be altered in EXPORTed variables by using the USEROK flag (here). When an EXPORT variable is flagged USEROK, the URL and Content sources (i.e. form variables) have highest precedence, before the state is checked.