Issues with the PHP 'max_input_vars' Setting · Article

What Is Covered

• Summary
• Frequently Asked Questions
     • What harm could it really do?
     • What is my setting?
     • Can I change my setting?
     • Is there anything that I can do if my host has suhosin installed?
     • Is there a check for this setting?


 

Summary

The PHP max_input_vars setting defines how many input variables are allowed to be sent to the server at once; this limit is applied to the $_GET, $_POST, and $_COOKIE superglobals. It is meant to mitigate denial of service attacks (which use hash collisions).

If the amount of variables exceeds the limit set by max_input_vars an E_WARNING error is issued, and further input variables are stripped from the request.

What this means is that if the data being received has more requests than max_input_vars are configured to accept, it'll just drop the requests accordingly. Where the PHP description (slightly rewritten to not be so sterile) states that requests AFTER the variable is reached are the only things dropped, we've seen the entire request handler dropped (example).


 

Frequently Asked Questions

 

What harm could it really do?

If, for whatever reason, your web host has this variable set lower than the default value, you could see configuration variables dropped completely, or at the very worst you could experience a behavior where your UBB.threads configuration file could be cleared.

 

What is my setting?

You can check your max_input_vars setting by opening the "PHP Info" link in the Control Panel (CP -> Tools & Information); the default is 1000 and should be fine for most sites.

 

Can I change my setting?

Some hosts allow users to offset some PHP and Apache configuration settings through .htaccess and php.ini files in the user home (based on whatever your "AllowOverride" setting is configured for in the web server's configuration). You can test this by adding the following to a .htaccess file in your web root and validating that it can be offset by looking at your phpinfo page in the UBB.threads Control Panel. The line to increase the "max_input_vars" setting is:


There is no "perfect value", and the total is completely relative to your install; the more forums you have the more of a chance you'll have at reaching this limit. To figure out a value for your forums you should take the amount of forums you have (X) and multiply that value by 26 (fields) and add 4 (additional fields); ex: (X forums * 26 fields)+ 4 additional fields. The result should be the minimum value needed.

 

Is there anything that I can do if my host has suhosin installed?

The default suhosin configuration also has several defaults that you may experience issues with; like the above "Can I change my setting?" section you can also attempt to override these settings by adding the following to a .htaccess file in your web root (more information can be found on the "Issues with the PHP Module 'suhosin'" entry):


 

Is there a check for this setting?

We have written a basic check for the max_input_vars setting in v7.6.0+ that will display an error if your web host has this value configured below the default value of 1000; however, for larger forums, this default value can be too low, and a good value for your site will vary based on how large your forum install is, and how many forums you are using.

The warning on the landing page of the Control Panel will give you a basic recommendation based on how many forums you have. The basic recommendation is a value of 2048; hoewver, if you have a large amount of forums that set your forum into a zone above this threshold, that value will be displayed instead.

The Control Panel warning is as follows:

Posted on April 17th, 2015 · Updated on January 13th, 2017

Return to the Article Index
Return to the Category "Troubleshooting"
Submit a Article for Review