In response to a recent thread on the PHP Security Consortium mailing list (you are subscribed, aren't you?) this week, Richard Heyes has this new post with more information about PHP supergloabls.

Recent post on phpsec mailing list asking about unsafe $_SERVER, $_ENV and $_FILES keys, ie keys which are user input based, and therefore cannot be trusted. Some are not so obvious, so here's a list (which is not definitive - for example SSL usage includes other data). Naturally everything from $_GET, $_POST, $_COOKIE and $_REQUEST should not be trusted.

He also mentions some of the ones to watch out for from $_SERVER and $_FILES, basically stating that anything that comes in from the user needs to be "sanitized" before any real use can be made of them. Oh, and of course, $_ENV if you're working on the command-line...