PHP Warning: Unknown: Input Variables Exceeded 1000

Warning: Input variables exceeded 1000

I found out that the right way to handle json data directly in PHP (via file_get_contents('php://input')) is to make sure the request sets the right content-type i.e. Content-type: application/json in the HTTP request header.

In my case I'm requesting pages from php using curl with to this code:

function curl_post($url, array $post = NULL, array $options = array()) {
  $defaults = array(
    CURLOPT_POST => 1,
    CURLOPT_HEADER => 0,
    CURLOPT_URL => $url,
    CURLOPT_FRESH_CONNECT => 1,
    CURLOPT_RETURNTRANSFER => 1,
    CURLOPT_FORBID_REUSE => 1,
    CURLOPT_TIMEOUT => 600
  );
  if(!is_null($post))
    $defaults['CURLOPT_POSTFIELDS'] = http_build_query($post);
  $ch = curl_init();
  curl_setopt_array($ch, ($options + $defaults));
  if(($result = curl_exec($ch)) === false) {
    throw new Exception(curl_error($ch) . "\n $url");
  }
  if(curl_getinfo($ch, CURLINFO_HTTP_CODE) != 200) {
    throw new Exception("Curl error: ". 
      curl_getinfo($ch, CURLINFO_HTTP_CODE) ."\n".$result . "\n");
  }
  curl_close($ch);
  return $result;
}

$curl_result = curl_post(URL, NULL,
    array(CURLOPT_HTTPHEADER => array('Content-Type: application/json'),
      CURLOPT_POSTFIELDS => json_encode($out))
    );

Do note the CURLOPT_HTTPHEADER => array('Content-Type: application/json') part.

On the receiving side I'm using the following code:

$rawData = file_get_contents('php://input');
$postedJson = json_decode($rawData,true);
if(json_last_error() != JSON_ERROR_NONE) {
  error_log('Last JSON error: '. json_last_error(). 
    json_last_error_msg() . PHP_EOL. PHP_EOL,0);
}

Do not change the max_input_vars variable. Since changing the request to set right headers my issue with max_input_vars went away. Apparently does not PHP evaluate the post variables with certain Content-type is set.

PHP Warning: Unknown: Input variables exceeded 1000

That's a new setting / value in PHP (related to a security update to prevent attacks to PHP scripts), so you get this after the update (before PHP 5.3.9 not set/available, suhosin users have a similar thing since ages).

Input values are of different kinds and array members count as well. So it's not enough to count form fields but also to take a look into the URL and other places related to input ($_GET, $_POST, $_SERVER, $_ENV, $_FILES, $_COOKIE ...).

See max_input_vars:

How many input variables may be accepted. Use of this directive mitigates the possibility of denial of service attacks which use hash collisions. If there are more input variables than specified by this directive, an E_WARNING is issued, and further input variables are truncated from the request. This limit applies only to each nesting level of a multi-dimensional input array.

How to change max_input_vars

ASH's suggested

ini_set('max_input_vars','2000' );

but this never work with ini_set.
You need to set it with php.ini or .htaccess file only.

php: max_input_vars exceeded 1000

This does not have anything to do with DB record count, rather with what is the data size that you are sending to server.

Following is what manual says:

How many input variables may be accepted (limit is applied to $_GET, $_POST and $_COOKIE superglobal separately). Use of this directive mitigates the possibility of denial of service attacks which use hash collisions. If there are more input variables than specified by this directive, an E_WARNING is issued, and further input variables are truncated from the request.

If you do not want to update php.ini you can try using .htaccess:

php_value max_input_vars 10000

PHP Warning: Unknown: Input variables exceeded 1000

On some distributions there are multiple php.ini files - one for cli, one for cgi and one for apache (or sapi).

If you use mod_php you might need to change /etc/php5/apache2/php.ini (this path is valid for Debian) and afterwards you must restart the webserver.

In order to find out which php.ini was used, you can create a small php script containing <?php phpinfo(); ?> and execute it (using the webserver). There you will see which php.ini was used.

How should I track down PHP Warning: Input variables exceeded 1000

If it only happens occassionally and potentially also affects end users it's actually rather safe to just raise the limit - it's a limitation imposed for practical reasons to circumvent possible attacks.

Practically, to debug this I'd dive into edge cases. In a real world scenario I'd indeed expect this error to only occur when something is nested indefinitely. I'd insert a small detection script somewhere in code that's always included, for example:

function detectLargeInputs($name, $array)
{
  if(count($array) > 500)
    mail('mymail@domain.tld', 'Large input in '.$name, 
         print_r($array, true).print_r($_SERVER, true));
}
detectLargeInputs('GET', $_GET);
detectLargeInputs('POST', $_POST);
detectLargeInputs('COOKIE', $_COOKIE);

This should show the problem within a day, including the $_SERVER info that also has fields like REQUEST_URI and HTTP_REFERER which should help you pinpoint the issue exactly.

PHP E_WARNING Input variables exceeded not displayed

http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-startup-errors

in your php.ini / htaccess

display_startup_errors = On

or you may need more...

error_reporting = -1
display_errors = On
display_startup_errors = On

sadly you can't do nothing more than print or not to print it

---

Related Topics