PHP Post Limited to 1000 Variables

php Post limited to 1000 variables

I see what you did here.

max_input_vars, 1000

Introduced in order to prevent hash collision attack:
http://www.phpclasses.org/blog/post/171-PHP-Vulnerability-May-Halt-Millions-of-Servers.html
But failed in 5.3.9:
http://www.phpclasses.org/blog/post/175-Another-Serious-Security-Bug-on-PHP-539.html
So you should update to 5.3.10+ if that is problem.

How to determine that POST method more than 1000 variables by PHP default?

You mean count($_POST, true) ?

count ( mixed $array_or_countable [, int $mode = COUNT_NORMAL ] )

mode

If the optional mode parameter is set to COUNT_RECURSIVE (or 1), count() will recursively count the array. This is particularly useful for counting all the elements of a multidimensional array.

I suppose this is more proper:

count($_POST, COUNT_RECURSIVE)

Special attention to recursively count the array

Of course by the time you can count them you may have already exceeded the limit, which is for HashDos (array hash table collision attacks).

I watched a good webinar by the Boss man "Rasmus Lerdorf" (the guy that invented PHP) a few years ago now on it ( on HashDos not counting arrays ... lol ).

*PS - if you didn't know count could take 2 arguments, I won't say how long it took me to figure that one out....

Warning: Input variables exceeded 1000

I found out that the right way to handle json data directly in PHP (via file_get_contents('php://input')) is to make sure the request sets the right content-type i.e. Content-type: application/json in the HTTP request header.

In my case I'm requesting pages from php using curl with to this code:

function curl_post($url, array $post = NULL, array $options = array()) {
  $defaults = array(
    CURLOPT_POST => 1,
    CURLOPT_HEADER => 0,
    CURLOPT_URL => $url,
    CURLOPT_FRESH_CONNECT => 1,
    CURLOPT_RETURNTRANSFER => 1,
    CURLOPT_FORBID_REUSE => 1,
    CURLOPT_TIMEOUT => 600
  );
  if(!is_null($post))
    $defaults['CURLOPT_POSTFIELDS'] = http_build_query($post);
  $ch = curl_init();
  curl_setopt_array($ch, ($options + $defaults));
  if(($result = curl_exec($ch)) === false) {
    throw new Exception(curl_error($ch) . "\n $url");
  }
  if(curl_getinfo($ch, CURLINFO_HTTP_CODE) != 200) {
    throw new Exception("Curl error: ". 
      curl_getinfo($ch, CURLINFO_HTTP_CODE) ."\n".$result . "\n");
  }
  curl_close($ch);
  return $result;
}

$curl_result = curl_post(URL, NULL,
    array(CURLOPT_HTTPHEADER => array('Content-Type: application/json'),
      CURLOPT_POSTFIELDS => json_encode($out))
    );

Do note the CURLOPT_HTTPHEADER => array('Content-Type: application/json') part.

On the receiving side I'm using the following code:

$rawData = file_get_contents('php://input');
$postedJson = json_decode($rawData,true);
if(json_last_error() != JSON_ERROR_NONE) {
  error_log('Last JSON error: '. json_last_error(). 
    json_last_error_msg() . PHP_EOL. PHP_EOL,0);
}

Do not change the max_input_vars variable. Since changing the request to set right headers my issue with max_input_vars went away. Apparently does not PHP evaluate the post variables with certain Content-type is set.

How to change maximum number of POST variable in PHP?

PHP 5.3.9 introduced the max_input_vars config option, which is defaulted to a value of 1000. Check out the Runtime Configuration section of the PHP manual. The default value and the change log are at the top of the page.

The value can be changed by updating the server's php.ini, adding an .htaccess file, or adding a line to httpd.conf.

What is the size limit of a post request?

It depends on a server configuration. If you're working with PHP under Linux or similar, you can control it using .htaccess configuration file, like so:

#set max post size
php_value post_max_size 20M

And, yes, I can personally attest to the fact that this works :)

If you're using IIS, I don't have any idea how you'd set this particular value.

Cannot change PHP post variable limit

Well, it should work after setting max_input_var = 5000 in php.ini. Try to debug it using .htaccess file OR send all the post parameters as a single parameter separated by a unique identifier like "@#" and then split that string in another files using explode function of PHP into an array and use that array for further computation.

OR change your code like this:

 <?php
            for ($i=1; $i <= 1100; $i++)
            {
                echo "<input type=text name=a[] value=$i /><br />\n";
            }
 ?>

See I have given same name to all the fields where a is a blank array. When you click on send button, it will send an array in post and then on next page you can use given code to parse all the values

<body>
    <?php
        $finalarray = $_POST['a'];
        $count = count($finalarray);
        for ($i=0; $i <= $count; $i++)
        {
            $num = $finalarray[$i];
            echo "Num: $num<br />";
        }
    ?>
</body>

I hope it will work fine.

Limit of POST arguments in html or php

I don't think there is a limit to the number of variables sent through POST, just on their accumulated size. The limit varies from server to server.

Update: The Suhosin PHP hardening patch can in fact impose a limit on the number of request variables. The default is 2001000. Suhosin is installed by default on Ubuntu, so it could be the reason for your problem. Info courtesy of @Pascal Martin, cheers!

There are two factors to limiting the POST maximum size:

• The PHP setting post_max_size
• Indirectly, also the PHP setting max_input_vars

You can find out its value using phpinfo().

And the web server's limits:

• LimitRequestBody in Apache
• MaxClientRequestBuffer on IIS

In your specific case, you may want to add what kind of server you are running this on, and how big the data is. Are the 520 arguments coming anywhere near post_max_size? What happens if you do a print_r($_REQUEST) in the receiving script?

---

Related Topics